Idea: log successful permission checks for debugging / auditing

[simonw]

I'm not sure how feasible this is, but it struck me that we could have an option to write a record to a database every time one of the permission checks succeeds, here:

datasette-acl/datasette_acl/__init__.py

Lines 285 to 306 in 0be108e

	@hookimpl
	def permission_allowed(datasette, actor, action, resource):
	if not resource or len(resource) != 2:
	return None
	async def inner():
	if not actor:
	return None
	await update_dynamic_groups(
	datasette, actor, skip_cache=hasattr(sys, "_pytest_running")
	)
	db = datasette.get_internal_database()
	result = await db.execute(
	ACL_RESOURCE_PAIR_SQL,
	{
	"actor_id": actor["id"],
	"database": resource[0],
	"resource": resource[1],
	"action": action,
	},
	)
	return result.single_value() or None

This could go to a capped in-memory table that deletes after 1,000 records, or it could be configured to log permanently.

Capturing the page that the request came from would be useful too, but is a lot harder because that plugin hook doesn't provide access to the request.

[simonw]

Being able to see "user tom was granted update-row on table X because they were a member of group Y" could really help with debugging permissions issues.

Downside: we fire those checks a LOT - we fire update-row check just to see if they should have a visible update row button, for example.

Capping the size of the table would prevent it from absorbing too many resources (other than extra CPU).

Not sure if this feature is worthwhile or not.