id,page,ref,title,content,breadcrumbs,references
plugin_hooks:default-deny-with-an-exception,plugin_hooks,default-deny-with-an-exception,Default deny with an exception,"Combine a root-level deny with a specific table allow for trusted users.
                        The resolver will automatically apply the most specific rule. 
                     from datasette import hookimpl
from datasette.permissions import PermissionSQL

TRUSTED = {""alice"", ""bob""}


@hookimpl
def permission_resources_sql(datasette, actor, action):
    if action != ""view-table"":
        return None

    actor_id = (actor or {}).get(""id"")

    if actor_id not in TRUSTED:
        return PermissionSQL(
            sql=""""""
                SELECT NULL AS parent, NULL AS child, 0 AS allow,
                       'default deny view-table' AS reason
            """""",
        )

    return PermissionSQL(
        sql=""""""
            SELECT NULL AS parent, NULL AS child, 0 AS allow,
                   'default deny view-table' AS reason
            UNION ALL
            SELECT 'reports' AS parent, 'daily_metrics' AS child, 1 AS allow,
                   'trusted user access' AS reason
        """""",
        params={""actor_id"": actor_id},
    ) 
                     The  UNION ALL  ensures the deny rule is always present, while the second row
                        adds the exception for trusted users.","[""Plugin hooks"", ""permission_resources_sql(datasette, actor, action)"", ""Permission plugin examples""]",[]