sections: plugin_hooks:default-deny-with-an-exception
This data as json
| id | page | ref | title | content | breadcrumbs | references |
|---|---|---|---|---|---|---|
| plugin_hooks:default-deny-with-an-exception | plugin_hooks | default-deny-with-an-exception | Default deny with an exception | Combine a root-level deny with a specific table allow for trusted users. The resolver will automatically apply the most specific rule. from datasette import hookimpl from datasette.permissions import PermissionSQL TRUSTED = {"alice", "bob"} @hookimpl def permission_resources_sql(datasette, actor, action): if action != "view-table": return None actor_id = (actor or {}).get("id") if actor_id not in TRUSTED: return PermissionSQL( sql=""" SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default deny view-table' AS reason """, ) return PermissionSQL( sql=""" SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default deny view-table' AS reason UNION ALL SELECT 'reports' AS parent, 'daily_metrics' AS child, 1 AS allow, 'trusted user access' AS reason """, params={"actor_id": actor_id}, ) The UNION ALL ensures the deny rule is always present, while the second row adds the exception for trusted users. | ["Plugin hooks", "permission_resources_sql(datasette, actor, action)", "Permission plugin examples"] | [] |