From ca435d16f6df01951d5e17a913aec81528499077 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sat, 25 Oct 2025 14:23:40 -0700
Subject: [PATCH] Fix test_auth_create_token - template variables and action
 abbreviation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixed two bugs preventing the create token UI and tests from working:

1. **Template variable mismatch**: create_token.html was using undefined variables
   - Changed `all_permissions` → `all_actions`
   - Changed `database_permissions` → `database_actions`
   - Changed `resource_permissions` → `child_actions`

   These match what CreateTokenView.shared() actually provides to the template.

2. **Action abbreviation bug**: app.py:685 was checking the wrong dictionary
   - Changed `self.permissions.get(action)` → `self.actions.get(action)`

   The abbreviate_action() function needs to look up Action objects (which have
   the `abbr` attribute), not Permission objects. This bug prevented action names
   like "view-instance" from being abbreviated to "vi" in token restrictions.

Refs #2534

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 datasette/app.py                      | 6 +++---
 datasette/templates/create_token.html | 6 +++---
 tests/test_auth.py                    | 1 -
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index 15b4820c..257b9204 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -682,10 +682,10 @@ class Datasette:
 
         def abbreviate_action(action):
             # rename to abbr if possible
-            permission = self.permissions.get(action)
-            if not permission:
+            action_obj = self.actions.get(action)
+            if not action_obj:
                 return action
-            return permission.abbr or action
+            return action_obj.abbr or action
 
         if expires_after:
             token["d"] = expires_after
diff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html
index 409fb8a9..ad7c71b6 100644
--- a/datasette/templates/create_token.html
+++ b/datasette/templates/create_token.html
@@ -57,7 +57,7 @@
     <summary style="cursor: pointer;">Restrict actions that can be performed using this token</summary>
     <h2>All databases and tables</h2>
     <ul>
-      {% for permission in all_permissions %}
+      {% for permission in all_actions %}
         <li><label><input type="checkbox" name="all:{{ permission }}"> {{ permission }}</label></li>
       {% endfor %}
     </ul>
@@ -65,7 +65,7 @@
     {% for database in database_with_tables %}
       <h2>All tables in "{{ database.name }}"</h2>
       <ul>
-        {% for permission in database_permissions %}
+        {% for permission in database_actions %}
           <li><label><input type="checkbox" name="database:{{ database.encoded }}:{{ permission }}"> {{ permission }}</label></li>
         {% endfor %}
       </ul>
@@ -75,7 +75,7 @@
       {% for table in database.tables %}
         <h3>{{ database.name }}: {{ table.name }}</h3>
         <ul>
-          {% for permission in resource_permissions %}
+          {% for permission in child_actions %}
             <li><label><input type="checkbox" name="resource:{{ database.encoded }}:{{ table.encoded }}:{{ permission }}"> {{ permission }}</label></li>
           {% endfor %}
         </ul>
diff --git a/tests/test_auth.py b/tests/test_auth.py
index b38b92f4..3b3be2fc 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -137,7 +137,6 @@ async def test_no_logout_button_in_navigation_if_no_ds_actor_cookie(ds_client, p
     )
 
 
-@pytest.mark.xfail(reason="Actor restrictions need additional work, refs #2534")
 @pytest.mark.parametrize(
     "post_data,errors,expected_duration,expected_r",
     (