Allow documentation doesn't explain what happens with multiple allow keys

simonw / datasette

An open source multi-tool for exploring and publishing data

https://datasette.io

Apache License 2.0

9.52k stars 685 forks source link

Allow documentation doesn't explain what happens with multiple allow keys #907

Closed simonw closed 4 years ago

simonw commented 4 years ago

Documentation here: https://datasette.readthedocs.io/en/0.45/authentication.html#defining-permissions-with-allow-blocks

Doesn't explain that with the following "allow" block:

{
  "allow": {
    "id": "simonw",
    "role": "staff"
  }
}

The rule will match if EITHER the id is simonw OR the role includes staff.

The tests are missing this case too: https://github.com/simonw/datasette/blob/028f193dd6233fa116262ab4b07b13df7dcec9be/tests/test_utils.py#L504

Related to #906

simonw commented 4 years ago

It might be good to have a little interactive tool which helps debug these things, since there are quite a few edge-cases and the damage caused if people use them incorrectly is substantial.

simonw commented 4 years ago

Actually that is already covered here: https://github.com/simonw/datasette/blob/6be5654ffab282e8cf39cc138ba2d4496ebc7407/docs/authentication.rst#L158