datasette-apps 0.1a3

Datasette has released version 0.1a3 of its datasette-apps plugin, addressing two critical security vulnerabilities identified in the initial release. The update fixes…

By Vane June 19, 2026 1 min read

Datasette has released version 0.1a3 of its datasette-apps plugin, addressing two critical security vulnerabilities identified in the initial release. The update fixes a flaw where users lacking the create-app permission could still generate new applications, and it resolves an issue preventing administrators from granting edit access to non-owners. Previously, the rules for modifying or deleting apps differed from viewing permissions, creating a gap in the access control logic. The latest patch aligns these rules so that private apps remain restricted to the owner, while public apps adhere to Datasette’s standard permission system. This ensures that only users with explicit approval can alter content they do not own.

These corrections are vital because the previous inconsistencies undermined the core security model of hosting custom web applications within a data platform. By allowing unauthorised users to create apps or preventing admins from managing edit rights, the plugin exposed potential vectors for abuse and data integrity issues. Aligning the permission structure with the rest of the software restores trust and ensures that the separation between public and private data remains robust. This move demonstrates a commitment to maintaining security standards as the toolset for embedding applications matures.

* Security gaps in app creation and editing permissions have been closed in version 0.1a3.
* Edit and delete rules now match view rules, enforcing consistent access control.
* Private apps remain owner-only, while public apps follow the standard Datasette permission system.

Scroll to Top