id,page,ref,title,content,breadcrumbs,references
plugin_hooks:allow-alice-to-view-a-specific-table,plugin_hooks,allow-alice-to-view-a-specific-table,Allow Alice to view a specific table,"This plugin grants the actor with  id == ""alice""  permission to perform the
                         view-table  action against the  sales  table inside the  accounting  database. 
                     from datasette import hookimpl
from datasette.permissions import PermissionSQL


@hookimpl
def permission_resources_sql(datasette, actor, action):
    if action != ""view-table"":
        return None
    if not actor or actor.get(""id"") != ""alice"":
        return None

    return PermissionSQL(
        sql=""""""
            SELECT
                'accounting' AS parent,
                'sales' AS child,
                1 AS allow,
                'alice can view accounting/sales' AS reason
        """""",
    )","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)"", ""Permission plugin examples""]",[]
plugin_hooks:default-deny-with-an-exception,plugin_hooks,default-deny-with-an-exception,Default deny with an exception,"Combine a root-level deny with a specific table allow for trusted users.
                        The resolver will automatically apply the most specific rule. 
                     from datasette import hookimpl
from datasette.permissions import PermissionSQL

TRUSTED = {""alice"", ""bob""}


@hookimpl
def permission_resources_sql(datasette, actor, action):
    if action != ""view-table"":
        return None

    actor_id = (actor or {}).get(""id"")

    if actor_id not in TRUSTED:
        return PermissionSQL(
            sql=""""""
                SELECT NULL AS parent, NULL AS child, 0 AS allow,
                       'default deny view-table' AS reason
            """""",
        )

    return PermissionSQL(
        sql=""""""
            SELECT NULL AS parent, NULL AS child, 0 AS allow,
                   'default deny view-table' AS reason
            UNION ALL
            SELECT 'reports' AS parent, 'daily_metrics' AS child, 1 AS allow,
                   'trusted user access' AS reason
        """""",
        params={""actor_id"": actor_id},
    ) 
                     The  UNION ALL  ensures the deny rule is always present, while the second row
                        adds the exception for trusted users.","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)"", ""Permission plugin examples""]",[]
plugin_hooks:permission-plugin-examples,plugin_hooks,permission-plugin-examples,Permission plugin examples,"These snippets show how to use the new  permission_resources_sql  hook to
                    contribute rows to the action-based permission resolver. Each hook receives the
                    current actor dictionary (or  None ) and must return  None  or an instance or list of
                     datasette.permissions.PermissionSQL  (or a coroutine that resolves to that).","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)""]",[]
plugin_hooks:read-permissions-from-a-custom-table,plugin_hooks,read-permissions-from-a-custom-table,Read permissions from a custom table,"This example stores grants in an internal table called  permission_grants 
                        with columns  (actor_id, action, parent, child, allow, reason) . 
                     from datasette import hookimpl
from datasette.permissions import PermissionSQL


@hookimpl
def permission_resources_sql(datasette, actor, action):
    if not actor:
        return None

    return PermissionSQL(
        sql=""""""
            SELECT
                parent,
                child,
                allow,
                COALESCE(reason, 'permission_grants table') AS reason
            FROM permission_grants
            WHERE actor_id = :grants_actor_id
              AND action = :grants_action
        """""",
        params={
            ""grants_actor_id"": actor.get(""id""),
            ""grants_action"": action,
        },
    )","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)"", ""Permission plugin examples""]",[]
plugin_hooks:restrict-execute-sql-to-a-database-prefix,plugin_hooks,restrict-execute-sql-to-a-database-prefix,Restrict execute-sql to a database prefix,"Only allow  execute-sql  against databases whose name begins with
                         analytics_ . This shows how to use parameters that the permission resolver
                        will pass through to the SQL snippet. 
                     from datasette import hookimpl
from datasette.permissions import PermissionSQL


@hookimpl
def permission_resources_sql(datasette, actor, action):
    if action != ""execute-sql"":
        return None

    return PermissionSQL(
        sql=""""""
            SELECT
                parent,
                NULL AS child,
                1 AS allow,
                'execute-sql allowed for analytics_*' AS reason
            FROM catalog_databases
            WHERE database_name LIKE :analytics_prefix
        """""",
        params={
            ""analytics_prefix"": ""analytics_%"",
        },
    )","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)"", ""Permission plugin examples""]",[]