From deb0b87e1b64eef3da707a19ac60652e12cdbf07 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sat, 25 Oct 2025 14:47:54 -0700
Subject: [PATCH] Fix cli.py to use ds.actions instead of ds.permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The create-token CLI command was checking ds.permissions.get(action)
instead of ds.actions.get(action) when validating action names. This
caused false "Unknown permission" warnings for valid actions like
"debug-menu".

This is the same bug we fixed in app.py:685. The Action objects are
stored in ds.actions, not ds.permissions.

The warnings were being printed to stderr (correctly) but CliRunner
mixes stderr and stdout, so the warnings contaminated the token output,
causing token authentication to fail in tests.

Fixes all 6 test_cli_create_token tests.

Refs #2534

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 datasette/cli.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/datasette/cli.py b/datasette/cli.py
index db489e7b..9606a9a0 100644
--- a/datasette/cli.py
+++ b/datasette/cli.py
@@ -766,7 +766,7 @@ def create_token(
     actions.extend([p[1] for p in databases])
     actions.extend([p[2] for p in resources])
     for action in actions:
-        if not ds.permissions.get(action):
+        if not ds.actions.get(action):
             click.secho(
                 f"  Unknown permission: {action} ",
                 fg="red",