diff --git a/datasette/app.py b/datasette/app.py
index 0e7e35b8..528b11bf 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -1249,6 +1249,17 @@ class Datasette:
         if resource is None:
             resource = InstanceResource()
 
+        # Check if this action has also_requires - if so, check that action first
+        action_obj = self.actions.get(action)
+        if action_obj and action_obj.also_requires:
+            # Must have the required action first
+            if not await self.allowed(
+                action=action_obj.also_requires,
+                resource=resource,
+                actor=actor,
+            ):
+                return False
+
         result = await check_permission_for_resource(
             datasette=self,
             actor=actor,
diff --git a/datasette/default_actions.py b/datasette/default_actions.py
index 1a79838a..e06e906b 100644
--- a/datasette/default_actions.py
+++ b/datasette/default_actions.py
@@ -36,6 +36,7 @@ def register_actions():
             takes_parent=True,
             takes_child=False,
             resource_class=DatabaseResource,
+            also_requires="view-database",
         ),
         Action(
             name="view-table",
diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py
index cd92ba73..7eda09c8 100644
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@@ -122,6 +122,7 @@ async def permission_resources_sql(datasette, actor, action):
     default_allow_actions = {
         "view-instance",
         "view-database",
+        "view-database-download",
         "view-table",
         "execute-sql",
     }