1from datasette import hookimpl 

2from datasette.utils import actor_matches_allow 

3 

4 

5@hookimpl(tryfirst=True) 

6def permission_allowed(datasette, actor, action, resource): 

7 if action == "permissions-debug": 

8 if actor and actor.get("id") == "root": 

9 return True 

10 elif action == "view-instance": 

11 allow = datasette.metadata("allow") 

12 if allow is not None: 

13 return actor_matches_allow(actor, allow) 

14 elif action == "view-database": 

15 database_allow = datasette.metadata("allow", database=resource) 

16 if database_allow is None: 

17 return True 

18 return actor_matches_allow(actor, database_allow) 

19 elif action == "view-table": 

20 database, table = resource 

21 tables = datasette.metadata("tables", database=database) or {} 

22 table_allow = (tables.get(table) or {}).get("allow") 

23 if table_allow is None: 

24 return True 

25 return actor_matches_allow(actor, table_allow) 

26 elif action == "view-query": 

27 # Check if this query has a "allow" block in metadata 

28 database, query_name = resource 

29 queries_metadata = datasette.metadata("queries", database=database) 

30 assert query_name in queries_metadata 

31 if isinstance(queries_metadata[query_name], str): 

32 return True 

33 allow = queries_metadata[query_name].get("allow") 

34 if allow is None: 

35 return True 

36 return actor_matches_allow(actor, allow) 

37 elif action == "execute-sql": 

38 # Use allow_sql block from database block, or from top-level 

39 database_allow_sql = datasette.metadata("allow_sql", database=resource) 

40 if database_allow_sql is None: 

41 database_allow_sql = datasette.metadata("allow_sql") 

42 if database_allow_sql is None: 

43 return True 

44 return actor_matches_allow(actor, database_allow_sql)