{"id": "plugin_hooks:plugin-hook-permission-allowed", "page": "plugin_hooks", "ref": "plugin-hook-permission-allowed", "title": "permission_allowed(datasette, actor, action, resource)", "content": "datasette  -  Datasette class \n                     \n                         You can use this to access plugin configuration options via  datasette.plugin_config(your_plugin_name) , or to execute SQL queries. \n                     \n                 \n                 \n                     actor  - dictionary \n                     \n                         The current actor, as decided by  actor_from_request(datasette, request) . \n                     \n                 \n                 \n                     action  - string \n                     \n                         The action to be performed, e.g.  \"edit-table\" . \n                     \n                 \n                 \n                     resource  - string or None \n                     \n                         An identifier for the individual resource, e.g. the name of the table. \n                     \n                 \n             \n             Called to check that an actor has permission to perform an action on a resource. Can return  True  if the action is allowed,  False  if the action is not allowed or  None  if the plugin does not have an opinion one way or the other. \n             Here's an example plugin which randomly selects if a permission should be allowed or denied, except for  view-instance  which always uses the default permission scheme instead. \n             from datasette import hookimpl\nimport random\n\n\n@hookimpl\ndef permission_allowed(action):\n    if action != \"view-instance\":\n        # Return True or False at random\n        return random.random() > 0.5\n    # Returning None falls back to default permissions \n             This function can alternatively return an awaitable function which itself returns  True ,  False  or  None . You can use this option if you need to execute additional database queries using  await datasette.execute(...) . \n             Here's an example that allows users to view the  admin_log  table only if their actor  id  is present in the  admin_users  table. It aso disallows arbitrary SQL queries for the  staff.db  database for all users. \n             @hookimpl\ndef permission_allowed(datasette, actor, action, resource):\n    async def inner():\n        if action == \"execute-sql\" and resource == \"staff\":\n            return False\n        if action == \"view-table\" and resource == (\n            \"staff\",\n            \"admin_log\",\n        ):\n            if not actor:\n                return False\n            user_id = actor[\"id\"]\n            return await datasette.get_database(\n                \"staff\"\n            ).execute(\n                \"select count(*) from admin_users where user_id = :user_id\",\n                {\"user_id\": user_id},\n            )\n\n    return inner \n             See  built-in permissions  for a full list of permissions that are included in Datasette core. \n             Example:  datasette-permissions-sql", "breadcrumbs": "[\"Plugin hooks\"]", "references": "[{\"href\": \"https://datasette.io/plugins/datasette-permissions-sql\", \"label\": \"datasette-permissions-sql\"}]"}