Fix view-database-download permission handling

Two fixes for database download permissions:

1. Added also_requires="view-database" to view-database-download action
   - You should only be able to download a database if you can view it

2. Added view-database-download to default_allow_actions list
   - This action should be allowed by default, like view-database

3. Implemented also_requires checking in allowed() method
   - The allowed() method now checks action.also_requires before
     checking the action itself
   - This ensures execute-sql requires view-database, etc.

Fixes test_database_download_for_immutable and
test_database_download_disallowed_for_memory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

datasette/app.py

@@ -1249,6 +1249,17 @@ class Datasette:
         if resource is None:
             resource = InstanceResource()
 
+        # Check if this action has also_requires - if so, check that action first
+        action_obj = self.actions.get(action)
+        if action_obj and action_obj.also_requires:
+            # Must have the required action first
+            if not await self.allowed(
+                action=action_obj.also_requires,
+                resource=resource,
+                actor=actor,
+            ):
+                return False
+
         result = await check_permission_for_resource(
             datasette=self,
             actor=actor,

datasette/default_actions.py

@@ -36,6 +36,7 @@ def register_actions():
             takes_parent=True,
             takes_child=False,
             resource_class=DatabaseResource,
+            also_requires="view-database",
         ),
         Action(
             name="view-table",

datasette/default_permissions.py

@@ -122,6 +122,7 @@ async def permission_resources_sql(datasette, actor, action):
     default_allow_actions = {
         "view-instance",
         "view-database",
+        "view-database-download",
         "view-table",
         "execute-sql",
     }