sections: authentication:authentication-permissions-explained
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| authentication:authentication-permissions-explained | authentication | authentication-permissions-explained | How permissions are resolved | Datasette performs permission checks using the internal await .allowed(*, action, resource, actor=None) , method which accepts keyword arguments for action , resource and an optional actor . resource should be an instance of the appropriate Resource subclass from datasette.resources —for example InstanceResource() , DatabaseResource(database="... )`` or TableResource(database="...", table="...") . This defaults to InstanceResource() if not specified. When a check runs Datasette gathers allow/deny rules from multiple sources and compiles them into a SQL query. The resulting query describes all of the resources an actor may access for that action, together with the reasons those resources were allowed or denied. The combined sources are: allow blocks configured in datasette.yaml . Actor restrictions encoded into the actor dictionary or API token. The "root" user shortcut when --root (or Datasette.root_enabled ) is active, replying True to all permission chucks unless configuration rules deny them at a more specific level. Any additional SQL provided by plugins implementing permission_resources_sql(datasette, actor, action) . Datasette evaluates the SQL to determine if the requested resource is included. Explicit deny rules returned by configuration or plugins will block access even if other rules allowed it. | ["Authentication and permissions", "Permissions"] | [] |