datasette-current-actor

Adds a current_actor() function to SQLite that show's the current actor's ID.

Installation

Install this plugin in the same environment as Datasette.

datasette install datasette-current-actor

Usage

• current_actor() returns the current actor's ID, or NULL if no actor.
• current_actor('attrs', 'name') navigates the actor object, returning the value of the name key stored in the attrs key, or NULL if any of the intermediate values are absent.
• current_actor_ip() returns the current actor's IP address
• current_actor_user_agent() returns the current actor's HTTP user agent

Default values, views and triggers

SQLite is flexible. It turns out you can refer to functions that don't exist when issuing DDL statements. As long as they exist when they're needed, it all works out.

Auditing

Track who added a row:

CREATE TABLE notes(
  created_by text not null default (current_actor()),
  created_by_ip text not null default (current_actor_ip()),
  note text not null
);

Or create an UPDATE trigger on a table that sets the last_edited_by column to current_actor().

Row-level security

Restrict the rows that users see:

CREATE VIEW rls AS
SELECT * FROM sensitive_data WHERE owner = current_actor()

You can see a live example at https://dux.fly.dev/cooking/my_questions, which should show you 0 rows.

That instance permits "logging in" by passing a _whoami query parameter. If you visit https://dux.fly.dev/cooking/my_questions?_whoami=15, you'll see all of user 15's questions.

Development

To set up this plugin locally, first checkout the code. Then create a new virtual environment:

cd datasette-current-actor
python3 -m venv venv
source venv/bin/activate

Now install the dependencies and test dependencies:

pip install -e '.[test]'

To run the tests:

pytest