1.0a9
Pre-releaseThis alpha release adds basic alter table support to the Datasette Write API and fixes a permissions bug relating to the /upsert
API endpoint.
Alter table support for create, insert, upsert and update
The JSON write API can now be used to apply simple alter table schema changes, provided the acting actor has the new alter-table permission. (#2101)
The only alter operation supported so far is adding new columns to an existing table.
- The /db/-/create API now adds new columns during large operations to create a table based on incoming example
"rows"
, in the case where one of the later rows includes columns that were not present in the earlier batches. This requires thecreate-table
but not thealter-table
permission. - When
/db/-/create
is called with rows in a situation where the table may have been already created, an"alter": true
key can be included to indicate that any missing columns from the new rows should be added to the table. This requires thealter-table
permission. - /db/table/-/insert and /db/table/-/upsert and /db/table/row-pks/-/update all now also accept
"alter": true
, depending on thealter-table
permission.
Operations that alter a table now fire the new alter-table event.
Permissions fix for the upsert API
The /database/table/-/upsert API had a minor permissions bug, only affecting Datasette instances that had configured the insert-row
and update-row
permissions to apply to a specific table rather than the database or instance as a whole. Full details in issue #2262.
To avoid similar mistakes in the future the datasette.permission_allowed() method now specifies default=
as a keyword-only argument.
Permission checks now consider opinions from every plugin
The datasette.permission_allowed() method previously consulted every plugin that implemented the permission_allowed() plugin hook and obeyed the opinion of the last plugin to return a value. (#2275)
Datasette now consults every plugin and checks to see if any of them returned False
(the veto rule), and if none of them did, it then checks to see if any of them returned True
.
This is explained at length in the new documentation covering How permissions are resolved.
Other changes
- The new DATASETTE_TRACE_PLUGINS=1 environment variable turns on detailed trace output for every executed plugin hook, useful for debugging and understanding how the plugin system works at a low level. (#2274)
- Datasette on Python 3.9 or above marks its non-cryptographic uses of the MD5 hash function as
usedforsecurity=False
, for compatibility with FIPS systems. (#2270) - SQL relating to Datasette's internal database now executes inside a transaction, avoiding a potential database locked error. (#2273)
- The
/-/threads
debug page now identifies the database in the name associated with each dedicated write thread. (#2265) - The
/db/-/create
API now fires ainsert-rows
event if rows were inserted after the table was created. (#2260)