simonw
commented
2 months ago Being able to see "user tom was granted update-row on table X because they were a member of group Y" could really help with debugging permissions issues.
Downside: we fire those checks a LOT - we fire update-row check just to see if they should have a visible update row button, for example.
Capping the size of the table would prevent it from absorbing too many resources (other than extra CPU).
Not sure if this feature is worthwhile or not.
I'm not sure how feasible this is, but it struck me that we could have an option to write a record to a database every time one of the permission checks succeeds, here:https://github.com/datasette/datasette-acl/blob/0be108ebcf03ad1347a321a5a6c84da48cb8aaf6/datasette_acl/__init__.py#L285-L306
This could go to a capped in-memory table that deletes after 1,000 records, or it could be configured to log permanently.
Capturing the page that the request came from would be useful too, but is a lot harder because that plugin hook doesn't provide access to the request.