From cde1624d0a8e97bafd29c37a05fa63fca3c936bb Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Fri, 24 Oct 2025 13:53:58 -0700
Subject: [PATCH] Update permission hooks to include source_plugin column and
 simplify menu_links

- Added source_plugin column to all permission SQL queries (required by new system)
- Removed unused InstanceResource import from default_menu_links.py
- Fixed SQL format to match (parent, child, allow, reason, source_plugin) schema
---
 datasette/default_menu_links.py  | 2 +-
 datasette/default_permissions.py | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/datasette/default_menu_links.py b/datasette/default_menu_links.py
index 22e6e46a..85032387 100644
--- a/datasette/default_menu_links.py
+++ b/datasette/default_menu_links.py
@@ -4,7 +4,7 @@ from datasette import hookimpl
 @hookimpl
 def menu_links(datasette, actor):
     async def inner():
-        if not await datasette.permission_allowed(actor, "debug-menu"):
+        if not await datasette.allowed(action="debug-menu", actor=actor):
             return []
 
         return [
diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py
index a37c47c1..8dc61aba 100644
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@@ -211,7 +211,7 @@ async def permission_resources_sql(datasette, actor, action):
         # Add a single global-level allow rule (NULL, NULL) for root
         # This allows root to access everything by default, but database-level
         # and table-level deny rules in config can still block specific resources
-        sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'root user' AS reason"
+        sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'root user' AS reason, 'root_permissions' AS source_plugin"
         rules.append(
             PermissionSQL(
                 source="root_permissions",
@@ -226,7 +226,7 @@ async def permission_resources_sql(datasette, actor, action):
     # Check default_allow_sql setting for execute-sql action
     if action == "execute-sql" and not datasette.setting("default_allow_sql"):
         # Return a deny rule for all databases
-        sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default_allow_sql is false' AS reason"
+        sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default_allow_sql is false' AS reason, 'default_allow_sql_setting' AS source_plugin"
         rules.append(
             PermissionSQL(
                 source="default_allow_sql_setting",
@@ -250,7 +250,8 @@ async def permission_resources_sql(datasette, actor, action):
     if action in default_allow_actions:
         reason = f"default allow for {action}".replace("'", "''")
         sql = (
-            "SELECT NULL AS parent, NULL AS child, 1 AS allow, " f"'{reason}' AS reason"
+            "SELECT NULL AS parent, NULL AS child, 1 AS allow, "
+            f"'{reason}' AS reason, 'default_permissions' AS source_plugin"
         )
         rules.append(
             PermissionSQL(
@@ -407,7 +408,7 @@ async def _config_permission_rules(datasette, actor, action) -> list[PermissionS
     for idx, (parent, child, allow, reason) in enumerate(rows):
         key = f"cfg_{idx}"
         parts.append(
-            f"SELECT :{key}_parent AS parent, :{key}_child AS child, :{key}_allow AS allow, :{key}_reason AS reason"
+            f"SELECT :{key}_parent AS parent, :{key}_child AS child, :{key}_allow AS allow, :{key}_reason AS reason, 'config_permissions' AS source_plugin"
         )
         params[f"{key}_parent"] = parent
         params[f"{key}_child"] = child