CSRF protection no longer uses CSRF tokens
Datasette's token-based CSRF protection has been replaced with a mechanism based on the Sec-Fetch-Site and Origin request headers, which are supported by all modern browsers. See this article by Filippo Valsorda for more details of this approach. This removes the need for CSRF tokens in forms and AJAX requests. (#2689)
RenameTableEvent when a table is renamed
Renaming a table within Datasette will now fire a new RenameTableEvent, which plugins can use to react by updating ACL records or re-assigning comments or other associated records to the new table name. (#2681)
This event will not be fired if the table is renamed by SQL running in some other process.
The datasette.track_event() method can now be called from within a write operation (using database.execute_write() and related methods) and the event will be fired after the write transaction has successfully committed. (#2682)
Other changes
- New actor= parameter for
datasette.clientmethods, allowing internal requests to be made as a specific actor. This is particularly useful for writing automated tests. (#2688) - New
Database(is_temp_disk=True)option, used internally for the internal database. This helps resolve intermittent database locked errors caused by the internal database being in-memory as opposed to on-disk. (#2683) (#2684) - The
/<database>/<table>/-/upsertAPI (docs) now rejects rows withnullprimary key values. (#1936) - Improved example in the API explorer for the
/-/upsertendpoint (docs). (#1936) - The
/<database>.jsonendpoint now includes an"ok": truekey, for consistency with other JSON API responses. - call_with_supported_arguments() is now documented as a supported public API. (#2678