diff --git a/.github/workflows/deploy-branch-preview.yml b/.github/workflows/deploy-branch-preview.yml index e56d9c27..872aff71 100644 --- a/.github/workflows/deploy-branch-preview.yml +++ b/.github/workflows/deploy-branch-preview.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Set up Python 3.11 - uses: actions/setup-python@v6 + uses: actions/setup-python@v4 with: python-version: "3.11" - name: Install dependencies diff --git a/.github/workflows/deploy-latest.yml b/.github/workflows/deploy-latest.yml index 9f53b01e..f235b442 100644 --- a/.github/workflows/deploy-latest.yml +++ b/.github/workflows/deploy-latest.yml @@ -1,11 +1,10 @@ name: Deploy latest.datasette.io on: - workflow_dispatch: push: branches: - main - # - 1.0-dev + - 1.0-dev permissions: contents: read @@ -15,12 +14,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out datasette - uses: actions/checkout@v5 + uses: actions/checkout@v3 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v4 + # gcloud commmand breaks on higher Python versions, so stick with 3.9: with: - python-version: "3.13" - cache: pip + python-version: "3.9" + - uses: actions/cache@v4 + name: Configure pip caching + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.py') }} + restore-keys: | + ${{ runner.os }}-pip- - name: Install Python dependencies run: | python -m pip install --upgrade pip @@ -95,13 +101,12 @@ jobs: # jq '.plugins |= . + {"datasette-ephemeral-tables": {"table_ttl": 900}}' \ # > metadata.json # cat metadata.json - - id: auth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v3 + - name: Set up Cloud Run + uses: google-github-actions/setup-gcloud@v0 with: - credentials_json: ${{ secrets.GCP_SA_KEY }} - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v3 + version: '318.0.0' + service_account_email: ${{ secrets.GCP_SA_EMAIL }} + service_account_key: ${{ secrets.GCP_SA_KEY }} - name: Deploy to Cloud Run env: LATEST_DATASETTE_SECRET: ${{ secrets.LATEST_DATASETTE_SECRET }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e94d0bdd..bf67a115 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] + python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] steps: - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} cache: pip - cache-dependency-path: pyproject.toml + cache-dependency-path: setup.py - name: Install dependencies run: | pip install -e '.[test]' @@ -37,11 +37,11 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: '3.13' cache: pip - cache-dependency-path: pyproject.toml + cache-dependency-path: setup.py - name: Install dependencies run: | pip install setuptools wheel build @@ -58,11 +58,11 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: - python-version: '3.10' + python-version: '3.9' cache: pip - cache-dependency-path: pyproject.toml + cache-dependency-path: setup.py - name: Install dependencies run: | python -m pip install -e .[docs] @@ -73,13 +73,12 @@ jobs: DISABLE_SPHINX_INLINE_TABS=1 sphinx-build -b xml . _build sphinx-to-sqlite ../docs.db _build cd .. - - id: auth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 + - name: Set up Cloud Run + uses: google-github-actions/setup-gcloud@v0 with: - credentials_json: ${{ secrets.GCP_SA_KEY }} - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v3 + version: '318.0.0' + service_account_email: ${{ secrets.GCP_SA_EMAIL }} + service_account_key: ${{ secrets.GCP_SA_KEY }} - name: Deploy stable-docs.datasette.io to Cloud Run run: |- gcloud config set run/region us-central1 diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml index 7c5370ce..907104b8 100644 --- a/.github/workflows/spellcheck.yml +++ b/.github/workflows/spellcheck.yml @@ -11,11 +11,11 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v4 with: python-version: '3.11' cache: 'pip' - cache-dependency-path: '**/pyproject.toml' + cache-dependency-path: '**/setup.py' - name: Install dependencies run: | pip install -e '.[docs]' diff --git a/.github/workflows/stable-docs.yml b/.github/workflows/stable-docs.yml deleted file mode 100644 index 3119d617..00000000 --- a/.github/workflows/stable-docs.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: Update Stable Docs - -on: - release: - types: [published] - push: - branches: - - main - -permissions: - contents: write - -jobs: - update_stable_docs: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v5 - with: - fetch-depth: 0 # We need all commits to find docs/ changes - - name: Set up Git user - run: | - git config user.name "Automated" - git config user.email "actions@users.noreply.github.com" - - name: Create stable branch if it does not yet exist - run: | - if ! git ls-remote --heads origin stable | grep -qE '\bstable\b'; then - # Make sure we have all tags locally - git fetch --tags --quiet - - # Latest tag that is just numbers and dots (optionally prefixed with 'v') - # e.g., 0.65.2 or v0.65.2 — excludes 1.0a20, 1.0-rc1, etc. - LATEST_RELEASE=$( - git tag -l --sort=-v:refname \ - | grep -E '^v?[0-9]+(\.[0-9]+){1,3}$' \ - | head -n1 - ) - - git checkout -b stable - - # If there are any stable releases, copy docs/ from the most recent - if [ -n "$LATEST_RELEASE" ]; then - rm -rf docs/ - git checkout "$LATEST_RELEASE" -- docs/ || true - fi - - git commit -m "Populate docs/ from $LATEST_RELEASE" || echo "No changes" - git push -u origin stable - fi - - name: Handle Release - if: github.event_name == 'release' && !github.event.release.prerelease - run: | - git fetch --all - git checkout stable - git reset --hard ${GITHUB_REF#refs/tags/} - git push origin stable --force - - name: Handle Commit to Main - if: contains(github.event.head_commit.message, '!stable-docs') - run: | - git fetch origin - git checkout -b stable origin/stable - # Get the list of modified files in docs/ from the current commit - FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - # Check if the list of files is non-empty - if [[ -n "$FILES" ]]; then - # Checkout those files to the stable branch to over-write with their contents - for FILE in $FILES; do - git checkout ${{ github.sha }} -- $FILE - done - git add docs/ - git commit -m "Doc changes from ${{ github.sha }}" - git push origin stable - else - echo "No changes to docs/ in this commit." - exit 0 - fi diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml index 8d73b64d..32654a93 100644 --- a/.github/workflows/test-coverage.yml +++ b/.github/workflows/test-coverage.yml @@ -17,11 +17,11 @@ jobs: - name: Check out datasette uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: '3.12' cache: 'pip' - cache-dependency-path: '**/pyproject.toml' + cache-dependency-path: '**/setup.py' - name: Install Python dependencies run: | python -m pip install --upgrade pip diff --git a/.github/workflows/test-pyodide.yml b/.github/workflows/test-pyodide.yml index b490a9bf..abfa9b90 100644 --- a/.github/workflows/test-pyodide.yml +++ b/.github/workflows/test-pyodide.yml @@ -14,11 +14,11 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: "3.10" cache: 'pip' - cache-dependency-path: '**/pyproject.toml' + cache-dependency-path: '**/setup.py' - name: Cache Playwright browsers uses: actions/cache@v4 with: diff --git a/.github/workflows/test-sqlite-support.yml b/.github/workflows/test-sqlite-support.yml index 76ea138a..1deef282 100644 --- a/.github/workflows/test-sqlite-support.yml +++ b/.github/workflows/test-sqlite-support.yml @@ -12,7 +12,7 @@ jobs: strategy: matrix: platform: [ubuntu-latest] - python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] + python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] sqlite-version: [ #"3", # latest version "3.46", @@ -27,12 +27,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} allow-prereleases: true cache: pip - cache-dependency-path: pyproject.toml + cache-dependency-path: setup.py - name: Set up SQLite ${{ matrix.sqlite-version }} uses: asg017/sqlite-versions@71ea0de37ae739c33e447af91ba71dda8fcf22e6 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1e5e03d2..773876d3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,16 +10,16 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] + python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] steps: - uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} allow-prereleases: true cache: pip - cache-dependency-path: pyproject.toml + cache-dependency-path: setup.py - name: Build extension for --load-extension test run: |- (cd tests && gcc ext.c -fPIC -shared -o ext.so) @@ -33,15 +33,16 @@ jobs: pytest -m "serial" # And the test that exceeds a localhost HTTPS server tests/test_datasette_https_server.sh - - name: Install docs dependencies + - name: Install docs dependencies on Python 3.9+ + if: matrix.python-version != '3.8' run: | pip install -e '.[docs]' - - name: Black - run: black --check . - name: Check if cog needs to be run + if: matrix.python-version != '3.8' run: | cog --check docs/*.rst - name: Check if blacken-docs needs to be run + if: matrix.python-version != '3.8' run: | # This fails on syntax errors, or a diff was applied blacken-docs -l 60 docs/*.rst diff --git a/.github/workflows/tmate.yml b/.github/workflows/tmate.yml index 123f6c71..9792245d 100644 --- a/.github/workflows/tmate.yml +++ b/.github/workflows/tmate.yml @@ -5,7 +5,6 @@ on: permissions: contents: read - models: read jobs: build: @@ -14,5 +13,3 @@ jobs: - uses: actions/checkout@v2 - name: Setup tmate session uses: mxschmitt/action-tmate@v3 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index 70e6bbeb..277ff653 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,6 @@ scratchpad .vscode -uv.lock -data.db - # We don't use Pipfile, so ignore them Pipfile Pipfile.lock @@ -126,4 +123,4 @@ node_modules # include it in source control. tests/*.dylib tests/*.so -tests/*.dll +tests/*.dll \ No newline at end of file diff --git a/Justfile b/Justfile index a47662c3..172de444 100644 --- a/Justfile +++ b/Justfile @@ -5,52 +5,38 @@ export DATASETTE_SECRET := "not_a_secret" # Setup project @init: - uv sync --extra test --extra docs + pipenv run pip install -e '.[test,docs]' # Run pytest with supplied options -@test *options: init - uv run pytest -n auto {{options}} +@test *options: + pipenv run pytest {{options}} @codespell: - uv run codespell README.md --ignore-words docs/codespell-ignore-words.txt - uv run codespell docs/*.rst --ignore-words docs/codespell-ignore-words.txt - uv run codespell datasette -S datasette/static --ignore-words docs/codespell-ignore-words.txt - uv run codespell tests --ignore-words docs/codespell-ignore-words.txt + pipenv run codespell README.md --ignore-words docs/codespell-ignore-words.txt + pipenv run codespell docs/*.rst --ignore-words docs/codespell-ignore-words.txt + pipenv run codespell datasette -S datasette/static --ignore-words docs/codespell-ignore-words.txt + pipenv run codespell tests --ignore-words docs/codespell-ignore-words.txt # Run linters: black, flake8, mypy, cog @lint: codespell - uv run black . --check - uv run flake8 - uv run --extra test cog --check README.md docs/*.rst + pipenv run black . --check + pipenv run flake8 + pipenv run cog --check README.md docs/*.rst # Rebuild docs with cog @cog: - uv run --extra test cog -r README.md docs/*.rst + pipenv run cog -r README.md docs/*.rst # Serve live docs on localhost:8000 -@docs: cog blacken-docs - uv run --extra docs make -C docs livehtml - -# Build docs as static HTML -@docs-build: cog blacken-docs - rm -rf docs/_build && cd docs && uv run make html +@docs: cog + pipenv run blacken-docs -l 60 docs/*.rst + cd docs && pipenv run make livehtml # Apply Black @black: - uv run black . + pipenv run black . -# Apply blacken-docs -@blacken-docs: - uv run blacken-docs -l 60 docs/*.rst - -# Apply prettier -@prettier: - npm run fix - -# Format code with both black and prettier -@format: black prettier blacken-docs - -@serve *options: - uv run sqlite-utils create-database data.db - uv run sqlite-utils create-table data.db docs id integer title text --pk id --ignore - uv run python -m datasette data.db --root --reload {{options}} +@serve: + pipenv run sqlite-utils create-database data.db + pipenv run sqlite-utils create-table data.db docs id integer title text --pk id --ignore + pipenv run python -m datasette data.db --root --reload diff --git a/datasette/app.py b/datasette/app.py index b9955925..bf6cc03f 100644 --- a/datasette/app.py +++ b/datasette/app.py @@ -1,12 +1,6 @@ -from __future__ import annotations - from asgi_csrf import Errors import asyncio -import contextvars -from typing import TYPE_CHECKING, Any, Dict, Iterable, List - -if TYPE_CHECKING: - from datasette.permissions import AllowedResource, Resource +from typing import Any, Dict, Iterable, List, Optional, Sequence, Tuple, Union import asgi_csrf import collections import dataclasses @@ -55,13 +49,6 @@ from .views.special import ( AllowDebugView, PermissionsDebugView, MessagesDebugView, - AllowedResourcesView, - PermissionRulesView, - PermissionCheckView, - TablesView, - InstanceSchemaView, - DatabaseSchemaView, - TableSchemaView, ) from .views.table import ( TableInsertView, @@ -75,7 +62,6 @@ from .url_builder import Urls from .database import Database, QueryInterrupted from .utils import ( - PaginatedResources, PrefixedUrlString, SPATIALITE_FUNCTIONS, StartupError, @@ -96,7 +82,6 @@ from .utils import ( resolve_env_secrets, resolve_routes, tilde_decode, - tilde_encode, to_css_class, urlsafe_components, redact_keys, @@ -126,39 +111,8 @@ from .tracer import AsgiTracer from .plugins import pm, DEFAULT_PLUGINS, get_plugins from .version import __version__ -from .resources import DatabaseResource, TableResource - app_root = Path(__file__).parent.parent - -# Context variable to track when code is executing within a datasette.client request -_in_datasette_client = contextvars.ContextVar("in_datasette_client", default=False) - - -class _DatasetteClientContext: - """Context manager to mark code as executing within a datasette.client request.""" - - def __enter__(self): - self.token = _in_datasette_client.set(True) - return self - - def __exit__(self, exc_type, exc_val, exc_tb): - _in_datasette_client.reset(self.token) - return False - - -@dataclasses.dataclass -class PermissionCheck: - """Represents a logged permission check for debugging purposes.""" - - when: str - actor: Dict[str, Any] | None - action: str - parent: str | None - child: str | None - result: bool - - # https://github.com/simonw/datasette/issues/283#issuecomment-781591015 SQLITE_LIMIT_ATTACHED = 10 @@ -268,9 +222,6 @@ FAVICON_PATH = app_root / "datasette" / "static" / "favicon.png" DEFAULT_NOT_SET = object() -ResourcesSQL = collections.namedtuple("ResourcesSQL", ("sql", "params")) - - async def favicon(request, send): await asgi_send_file( send, @@ -321,7 +272,6 @@ class Datasette: crossdb=False, nolock=False, internal=None, - default_deny=False, ): self._startup_invoked = False assert config_dir is None or isinstance( @@ -352,7 +302,7 @@ class Datasette: self.inspect_data = inspect_data self.immutables = set(immutables or []) self.databases = collections.OrderedDict() - self.actions = {} # .invoke_startup() will populate this + self.permissions = {} # .invoke_startup() will populate this try: self._refresh_schemas_lock = asyncio.Lock() except RuntimeError as rex: @@ -436,37 +386,10 @@ class Datasette: config = config or {} config_settings = config.get("settings") or {} - # Validate settings from config file - for key, value in config_settings.items(): + # validate "settings" keys in datasette.json + for key in config_settings: if key not in DEFAULT_SETTINGS: - raise StartupError(f"Invalid setting '{key}' in config file") - # Validate type matches expected type from DEFAULT_SETTINGS - if value is not None: # Allow None/null values - expected_type = type(DEFAULT_SETTINGS[key]) - actual_type = type(value) - if actual_type != expected_type: - raise StartupError( - f"Setting '{key}' in config file has incorrect type. " - f"Expected {expected_type.__name__}, got {actual_type.__name__}. " - f"Value: {value!r}. " - f"Hint: In YAML/JSON config files, remove quotes from boolean and integer values." - ) - - # Validate settings from constructor parameter - if settings: - for key, value in settings.items(): - if key not in DEFAULT_SETTINGS: - raise StartupError(f"Invalid setting '{key}' in settings parameter") - if value is not None: - expected_type = type(DEFAULT_SETTINGS[key]) - actual_type = type(value) - if actual_type != expected_type: - raise StartupError( - f"Setting '{key}' in settings parameter has incorrect type. " - f"Expected {expected_type.__name__}, got {actual_type.__name__}. " - f"Value: {value!r}" - ) - + raise StartupError("Invalid setting '{}' in datasette.json".format(key)) self.config = config # CLI settings should overwrite datasette.json settings self._settings = dict(DEFAULT_SETTINGS, **(config_settings), **(settings or {})) @@ -529,8 +452,6 @@ class Datasette: self._register_renderers() self._permission_checks = collections.deque(maxlen=200) self._root_token = secrets.token_hex(32) - self.root_enabled = False - self.default_deny = default_deny self.client = DatasetteClient(self) async def apply_metadata_json(self): @@ -576,17 +497,19 @@ class Datasette: pass return environment - def get_action(self, name_or_abbr: str): + def get_permission(self, name_or_abbr: str) -> "Permission": """ - Returns an Action object for the given name or abbreviation. Returns None if not found. + Returns a Permission object for the given name or abbreviation. Raises KeyError if not found. """ - if name_or_abbr in self.actions: - return self.actions[name_or_abbr] + if name_or_abbr in self.permissions: + return self.permissions[name_or_abbr] # Try abbreviation - for action in self.actions.values(): - if action.abbr == name_or_abbr: - return action - return None + for permission in self.permissions.values(): + if permission.abbr == name_or_abbr: + return permission + raise KeyError( + "No permission found with name or abbreviation {}".format(name_or_abbr) + ) async def refresh_schemas(self): if self._refresh_schemas_lock.locked(): @@ -606,15 +529,6 @@ class Datasette: "select database_name, schema_version from catalog_databases" ) } - # Delete stale entries for databases that are no longer attached - stale_databases = set(current_schema_versions.keys()) - set( - self.databases.keys() - ) - for stale_db_name in stale_databases: - await internal_db.execute_write( - "DELETE FROM catalog_databases WHERE database_name = ?", - [stale_db_name], - ) for database_name, db in self.databases.items(): schema_version = (await db.execute("PRAGMA schema_version")).first()[0] # Compare schema versions to see if we should skip it @@ -640,17 +554,6 @@ class Datasette: def urls(self): return Urls(self) - @property - def pm(self): - """ - Return the global plugin manager instance. - - This provides access to the pluggy PluginManager that manages all - Datasette plugins and hooks. Use datasette.pm.hook.hook_name() to - call plugin hooks. - """ - return pm - async def invoke_startup(self): # This must be called for Datasette to be in a usable state if self._startup_invoked: @@ -663,32 +566,24 @@ class Datasette: event_classes.extend(extra_classes) self.event_classes = tuple(event_classes) - # Register actions, but watch out for duplicate name/abbr - action_names = {} - action_abbrs = {} - for hook in pm.hook.register_actions(datasette=self): + # Register permissions, but watch out for duplicate name/abbr + names = {} + abbrs = {} + for hook in pm.hook.register_permissions(datasette=self): if hook: - for action in hook: - if ( - action.name in action_names - and action != action_names[action.name] - ): + for p in hook: + if p.name in names and p != names[p.name]: raise StartupError( - "Duplicate action name: {}".format(action.name) + "Duplicate permission name: {}".format(p.name) ) - if ( - action.abbr - and action.abbr in action_abbrs - and action != action_abbrs[action.abbr] - ): + if p.abbr and p.abbr in abbrs and p != abbrs[p.abbr]: raise StartupError( - "Duplicate action abbr: {}".format(action.abbr) + "Duplicate permission abbr: {}".format(p.abbr) ) - action_names[action.name] = action - if action.abbr: - action_abbrs[action.abbr] = action - self.actions[action.name] = action - + names[p.name] = p + if p.abbr: + abbrs[p.abbr] = p + self.permissions[p.name] = p for hook in pm.hook.prepare_jinja2_environment( env=self._jinja_env, datasette=self ): @@ -703,22 +598,14 @@ class Datasette: def unsign(self, signed, namespace="default"): return URLSafeSerializer(self._secret, namespace).loads(signed) - def in_client(self) -> bool: - """Check if the current code is executing within a datasette.client request. - - Returns: - bool: True if currently executing within a datasette.client request, False otherwise. - """ - return _in_datasette_client.get() - def create_token( self, actor_id: str, *, - expires_after: int | None = None, - restrict_all: Iterable[str] | None = None, - restrict_database: Dict[str, Iterable[str]] | None = None, - restrict_resource: Dict[str, Dict[str, Iterable[str]]] | None = None, + expires_after: Optional[int] = None, + restrict_all: Optional[Iterable[str]] = None, + restrict_database: Optional[Dict[str, Iterable[str]]] = None, + restrict_resource: Optional[Dict[str, Dict[str, Iterable[str]]]] = None, ): token = {"a": actor_id, "t": int(time.time())} if expires_after: @@ -726,10 +613,10 @@ class Datasette: def abbreviate_action(action): # rename to abbr if possible - action_obj = self.actions.get(action) - if not action_obj: + permission = self.permissions.get(action) + if not permission: return action - return action_obj.abbr or action + return permission.abbr or action if expires_after: token["d"] = expires_after @@ -779,10 +666,8 @@ class Datasette: self.databases = new_databases return db - def add_memory_database(self, memory_name, name=None, route=None): - return self.add_database( - Database(self, memory_name=memory_name), name=name, route=route - ) + def add_memory_database(self, memory_name): + return self.add_database(Database(self, memory_name=memory_name)) def remove_database(self, name): self.get_database(name).close() @@ -968,7 +853,9 @@ class Datasette: return self._app_css_hash async def get_canned_queries(self, database_name, actor): - queries = {} + queries = ( + ((self.config or {}).get("databases") or {}).get(database_name) or {} + ).get("queries") or {} for more_queries in pm.hook.canned_queries( datasette=self, database=database_name, @@ -1050,14 +937,14 @@ class Datasette: if request: actor = request.actor # Top-level link - if await self.allowed(action="view-instance", actor=actor): + if await self.permission_allowed(actor=actor, action="view-instance"): crumbs.append({"href": self.urls.instance(), "label": "home"}) # Database link if database: - if await self.allowed( - action="view-database", - resource=DatabaseResource(database=database), + if await self.permission_allowed( actor=actor, + action="view-database", + resource=database, ): crumbs.append( { @@ -1068,10 +955,10 @@ class Datasette: # Table link if table: assert database, "table= requires database=" - if await self.allowed( - action="view-table", - resource=TableResource(database=database, table=table), + if await self.permission_allowed( actor=actor, + action="view-table", + resource=(database, table), ): crumbs.append( { @@ -1082,8 +969,8 @@ class Datasette: return crumbs async def actors_from_ids( - self, actor_ids: Iterable[str | int] - ) -> Dict[int | str, Dict]: + self, actor_ids: Iterable[Union[str, int]] + ) -> Dict[Union[id, str], Dict]: result = pm.hook.actors_from_ids(datasette=self, actor_ids=actor_ids) if result is None: # Do the default thing @@ -1098,355 +985,115 @@ class Datasette: for hook in pm.hook.track_event(datasette=self, event=event): await await_me_maybe(hook) - def resource_for_action(self, action: str, parent: str | None, child: str | None): + async def permission_allowed( + self, actor, action, resource=None, *, default=DEFAULT_NOT_SET + ): + """Check permissions using the permissions_allowed plugin hook""" + result = None + # Use default from registered permission, if available + if default is DEFAULT_NOT_SET and action in self.permissions: + default = self.permissions[action].default + opinions = [] + # Every plugin is consulted for their opinion + for check in pm.hook.permission_allowed( + datasette=self, + actor=actor, + action=action, + resource=resource, + ): + check = await await_me_maybe(check) + if check is not None: + opinions.append(check) + + result = None + # If any plugin said False it's false - the veto rule + if any(not r for r in opinions): + result = False + elif any(r for r in opinions): + # Otherwise, if any plugin said True it's true + result = True + + used_default = False + if result is None: + # No plugin expressed an opinion, so use the default + result = default + used_default = True + self._permission_checks.append( + { + "when": datetime.datetime.now(datetime.timezone.utc).isoformat(), + "actor": actor, + "action": action, + "resource": resource, + "used_default": used_default, + "result": result, + } + ) + return result + + async def ensure_permissions( + self, + actor: dict, + permissions: Sequence[Union[Tuple[str, Union[str, Tuple[str, str]]], str]], + ): """ - Create a Resource instance for the given action with parent/child values. + permissions is a list of (action, resource) tuples or 'action' strings - Looks up the action's resource_class and instantiates it with the - provided parent and child identifiers. - - Args: - action: The action name (e.g., "view-table", "view-query") - parent: The parent resource identifier (e.g., database name) - child: The child resource identifier (e.g., table/query name) - - Returns: - A Resource instance of the appropriate subclass - - Raises: - ValueError: If the action is unknown + Raises datasette.Forbidden() if any of the checks fail """ - from datasette.permissions import Resource - - action_obj = self.actions.get(action) - if not action_obj: - raise ValueError(f"Unknown action: {action}") - - resource_class = action_obj.resource_class - instance = object.__new__(resource_class) - Resource.__init__(instance, parent=parent, child=child) - return instance + assert actor is None or isinstance(actor, dict), "actor must be None or a dict" + for permission in permissions: + if isinstance(permission, str): + action = permission + resource = None + elif isinstance(permission, (tuple, list)) and len(permission) == 2: + action, resource = permission + else: + assert ( + False + ), "permission should be string or tuple of two items: {}".format( + repr(permission) + ) + ok = await self.permission_allowed( + actor, + action, + resource=resource, + default=None, + ) + if ok is not None: + if ok: + return + else: + raise Forbidden(action) async def check_visibility( self, actor: dict, - action: str, - resource: "Resource" | None = None, + action: Optional[str] = None, + resource: Optional[Union[str, Tuple[str, str]]] = None, + permissions: Optional[ + Sequence[Union[Tuple[str, Union[str, Tuple[str, str]]], str]] + ] = None, ): - """ - Check if actor can see a resource and if it's private. - - Returns (visible, private) tuple: - - visible: bool - can the actor see it? - - private: bool - if visible, can anonymous users NOT see it? - """ - from datasette.permissions import Resource - - # Validate that resource is a Resource object or None - if resource is not None and not isinstance(resource, Resource): - raise TypeError(f"resource must be a Resource subclass instance or None.") - - # Check if actor can see it - if not await self.allowed(action=action, resource=resource, actor=actor): + """Returns (visible, private) - visible = can you see it, private = can others see it too""" + if permissions: + assert ( + not action and not resource + ), "Can't use action= or resource= with permissions=" + else: + permissions = [(action, resource)] + try: + await self.ensure_permissions(actor, permissions) + except Forbidden: return False, False - - # Check if anonymous user can see it (for "private" flag) - if not await self.allowed(action=action, resource=resource, actor=None): - # Actor can see it but anonymous cannot - it's private + # User can see it, but can the anonymous user see it? + try: + await self.ensure_permissions(None, permissions) + except Forbidden: + # It's visible but private return True, True - - # Both actor and anonymous can see it - it's public + # It's visible to everyone return True, False - async def allowed_resources_sql( - self, - *, - action: str, - actor: dict | None = None, - parent: str | None = None, - include_is_private: bool = False, - ) -> ResourcesSQL: - """ - Build SQL query to get all resources the actor can access for the given action. - - Args: - action: The action name (e.g., "view-table") - actor: The actor dict (or None for unauthenticated) - parent: Optional parent filter (e.g., database name) to limit results - include_is_private: If True, include is_private column showing if anonymous cannot access - - Returns a namedtuple of (query: str, params: dict) that can be executed against the internal database. - The query returns rows with (parent, child, reason) columns, plus is_private if requested. - - Example: - query, params = await datasette.allowed_resources_sql( - action="view-table", - actor=actor, - parent="mydb", - include_is_private=True - ) - result = await datasette.get_internal_database().execute(query, params) - """ - from datasette.utils.actions_sql import build_allowed_resources_sql - - action_obj = self.actions.get(action) - if not action_obj: - raise ValueError(f"Unknown action: {action}") - - sql, params = await build_allowed_resources_sql( - self, actor, action, parent=parent, include_is_private=include_is_private - ) - return ResourcesSQL(sql, params) - - async def allowed_resources( - self, - action: str, - actor: dict | None = None, - *, - parent: str | None = None, - include_is_private: bool = False, - include_reasons: bool = False, - limit: int = 100, - next: str | None = None, - ) -> PaginatedResources: - """ - Return paginated resources the actor can access for the given action. - - Uses SQL with keyset pagination to efficiently filter resources. - Returns PaginatedResources with list of Resource instances and pagination metadata. - - Args: - action: The action name (e.g., "view-table") - actor: The actor dict (or None for unauthenticated) - parent: Optional parent filter (e.g., database name) to limit results - include_is_private: If True, adds a .private attribute to each Resource - include_reasons: If True, adds a .reasons attribute with List[str] of permission reasons - limit: Maximum number of results to return (1-1000, default 100) - next: Keyset token from previous page for pagination - - Returns: - PaginatedResources with: - - resources: List of Resource objects for this page - - next: Token for next page (None if no more results) - - Example: - # Get first page of tables - page = await datasette.allowed_resources("view-table", actor, limit=50) - for table in page.resources: - print(f"{table.parent}/{table.child}") - - # Get next page - if page.next: - next_page = await datasette.allowed_resources( - "view-table", actor, limit=50, next=page.next - ) - - # With reasons for debugging - page = await datasette.allowed_resources( - "view-table", actor, include_reasons=True - ) - for table in page.resources: - print(f"{table.child}: {table.reasons}") - - # Iterate through all results with async generator - page = await datasette.allowed_resources("view-table", actor) - async for table in page.all(): - print(table.child) - """ - - action_obj = self.actions.get(action) - if not action_obj: - raise ValueError(f"Unknown action: {action}") - - # Validate and cap limit - limit = min(max(1, limit), 1000) - - # Get base SQL query - query, params = await self.allowed_resources_sql( - action=action, - actor=actor, - parent=parent, - include_is_private=include_is_private, - ) - - # Add keyset pagination WHERE clause if next token provided - if next: - try: - components = urlsafe_components(next) - if len(components) >= 2: - last_parent, last_child = components[0], components[1] - # Keyset condition: (parent > last) OR (parent = last AND child > last) - keyset_where = """ - (parent > :keyset_parent OR - (parent = :keyset_parent AND child > :keyset_child)) - """ - # Wrap original query and add keyset filter - query = f"SELECT * FROM ({query}) WHERE {keyset_where}" - params["keyset_parent"] = last_parent - params["keyset_child"] = last_child - except (ValueError, KeyError): - # Invalid token - ignore and start from beginning - pass - - # Add LIMIT (fetch limit+1 to detect if there are more results) - # Note: query from allowed_resources_sql() already includes ORDER BY parent, child - query = f"{query} LIMIT :limit" - params["limit"] = limit + 1 - - # Execute query - result = await self.get_internal_database().execute(query, params) - rows = list(result.rows) - - # Check if truncated (got more than limit rows) - truncated = len(rows) > limit - if truncated: - rows = rows[:limit] # Remove the extra row - - # Build Resource objects with optional attributes - resources = [] - for row in rows: - # row[0]=parent, row[1]=child, row[2]=reason, row[3]=is_private (if requested) - resource = self.resource_for_action(action, parent=row[0], child=row[1]) - - # Add reasons if requested - if include_reasons: - reason_json = row[2] - try: - reasons_array = ( - json.loads(reason_json) if isinstance(reason_json, str) else [] - ) - resource.reasons = [r for r in reasons_array if r is not None] - except (json.JSONDecodeError, TypeError): - resource.reasons = [reason_json] if reason_json else [] - - # Add private flag if requested - if include_is_private: - resource.private = bool(row[3]) - - resources.append(resource) - - # Generate next token if there are more results - next_token = None - if truncated and resources: - last_resource = resources[-1] - # Use tilde-encoding like table pagination - next_token = "{},{}".format( - tilde_encode(str(last_resource.parent)), - tilde_encode(str(last_resource.child)), - ) - - return PaginatedResources( - resources=resources, - next=next_token, - _datasette=self, - _action=action, - _actor=actor, - _parent=parent, - _include_is_private=include_is_private, - _include_reasons=include_reasons, - _limit=limit, - ) - - async def allowed( - self, - *, - action: str, - resource: "Resource" = None, - actor: dict | None = None, - ) -> bool: - """ - Check if actor can perform action on specific resource. - - Uses SQL to check permission for a single resource without fetching all resources. - This is efficient - it does NOT call allowed_resources() and check membership. - - For global actions, resource should be None (or omitted). - - Example: - from datasette.resources import TableResource - can_view = await datasette.allowed( - action="view-table", - resource=TableResource(database="analytics", table="users"), - actor=actor - ) - - # For global actions, resource can be omitted: - can_debug = await datasette.allowed(action="permissions-debug", actor=actor) - """ - from datasette.utils.actions_sql import check_permission_for_resource - - # For global actions, resource remains None - - # Check if this action has also_requires - if so, check that action first - action_obj = self.actions.get(action) - if action_obj and action_obj.also_requires: - # Must have the required action first - if not await self.allowed( - action=action_obj.also_requires, - resource=resource, - actor=actor, - ): - return False - - # For global actions, resource is None - parent = resource.parent if resource else None - child = resource.child if resource else None - - result = await check_permission_for_resource( - datasette=self, - actor=actor, - action=action, - parent=parent, - child=child, - ) - - # Log the permission check for debugging - self._permission_checks.append( - PermissionCheck( - when=datetime.datetime.now(datetime.timezone.utc).isoformat(), - actor=actor, - action=action, - parent=parent, - child=child, - result=result, - ) - ) - - return result - - async def ensure_permission( - self, - *, - action: str, - resource: "Resource" = None, - actor: dict | None = None, - ): - """ - Check if actor can perform action on resource, raising Forbidden if not. - - This is a convenience wrapper around allowed() that raises Forbidden - instead of returning False. Use this when you want to enforce a permission - check and halt execution if it fails. - - Example: - from datasette.resources import TableResource - - # Will raise Forbidden if actor cannot view the table - await datasette.ensure_permission( - action="view-table", - resource=TableResource(database="analytics", table="users"), - actor=request.actor - ) - - # For instance-level actions, resource can be omitted: - await datasette.ensure_permission( - action="permissions-debug", - actor=request.actor - ) - """ - if not await self.allowed(action=action, resource=resource, actor=actor): - raise Forbidden(action) - async def execute( self, db_name, @@ -1481,14 +1128,15 @@ class Datasette: except IndexError: return {} # Ensure user has permission to view the referenced table - from datasette.resources import TableResource - other_table = fk["other_table"] other_column = fk["other_column"] visible, _ = await self.check_visibility( actor, - action="view-table", - resource=TableResource(database=database, table=other_table), + permissions=[ + ("view-table", (database, other_table)), + ("view-database", database), + "view-instance", + ], ) if not visible: return {} @@ -1653,22 +1301,6 @@ class Datasette: def _actor(self, request): return {"actor": request.actor} - def _actions(self): - return [ - { - "name": action.name, - "abbr": action.abbr, - "description": action.description, - "takes_parent": action.takes_parent, - "takes_child": action.takes_child, - "resource_class": ( - action.resource_class.__name__ if action.resource_class else None - ), - "also_requires": action.also_requires, - } - for action in sorted(self.actions.values(), key=lambda a: a.name) - ] - async def table_config(self, database: str, table: str) -> dict: """Return dictionary of configuration for specified table""" return ( @@ -1702,10 +1334,10 @@ class Datasette: async def render_template( self, - templates: List[str] | str | Template, - context: Dict[str, Any] | Context | None = None, - request: Request | None = None, - view_name: str | None = None, + templates: Union[List[str], str, Template], + context: Optional[Union[Dict[str, Any], Context]] = None, + request: Optional[Request] = None, + view_name: Optional[str] = None, ): if not self._startup_invoked: raise Exception("render_template() called before await ds.invoke_startup()") @@ -1804,7 +1436,7 @@ class Datasette: return await template.render_async(template_context) def set_actor_cookie( - self, response: Response, actor: dict, expire_after: int | None = None + self, response: Response, actor: dict, expire_after: Optional[int] = None ): data = {"a": actor} if expire_after: @@ -1934,16 +1566,6 @@ class Datasette: ), r"/-/actor(\.(?Pjson))?$", ) - add_route( - JsonDataView.as_view( - self, - "actions.json", - self._actions, - template="debug_actions.html", - permission="permissions-debug", - ), - r"/-/actions(\.(?Pjson))?$", - ) add_route( AuthTokenView.as_view(self), r"/-/auth-token$", @@ -1956,14 +1578,6 @@ class Datasette: ApiExplorerView.as_view(self), r"/-/api$", ) - add_route( - TablesView.as_view(self), - r"/-/tables(\.(?Pjson))?$", - ) - add_route( - InstanceSchemaView.as_view(self), - r"/-/schema(\.(?Pjson|md))?$", - ) add_route( LogoutView.as_view(self), r"/-/logout$", @@ -1972,18 +1586,6 @@ class Datasette: PermissionsDebugView.as_view(self), r"/-/permissions$", ) - add_route( - AllowedResourcesView.as_view(self), - r"/-/allowed(\.(?Pjson))?$", - ) - add_route( - PermissionRulesView.as_view(self), - r"/-/rules(\.(?Pjson))?$", - ) - add_route( - PermissionCheckView.as_view(self), - r"/-/check(\.(?Pjson))?$", - ) add_route( MessagesDebugView.as_view(self), r"/-/messages$", @@ -2005,10 +1607,6 @@ class Datasette: r"/(?P[^\/\.]+)(\.(?P\w+))?$", ) add_route(TableCreateView.as_view(self), r"/(?P[^\/\.]+)/-/create$") - add_route( - DatabaseSchemaView.as_view(self), - r"/(?P[^\/\.]+)/-/schema(\.(?Pjson|md))?$", - ) add_route( wrap_view(QueryView, self), r"/(?P[^\/\.]+)/-/query(\.(?P\w+))?$", @@ -2033,10 +1631,6 @@ class Datasette: TableDropView.as_view(self), r"/(?P[^\/\.]+)/(?P[^\/\.]+)/-/drop$", ) - add_route( - TableSchemaView.as_view(self), - r"/(?P[^\/\.]+)/(?P
[^\/\.]+)/-/schema(\.(?Pjson|md))?$", - ) add_route( RowDeleteView.as_view(self), r"/(?P[^\/\.]+)/(?P
[^/]+?)/(?P[^/]+?)/-/delete$", @@ -2427,18 +2021,9 @@ class NotFoundExplicit(NotFound): class DatasetteClient: - """Internal HTTP client for making requests to a Datasette instance. - - Used for testing and for internal operations that need to make HTTP requests - to the Datasette app without going through an actual HTTP server. - """ - def __init__(self, ds): self.ds = ds - - @property - def app(self): - return self.ds.app() + self.app = ds.app() def actor_cookie(self, actor): # Utility method, mainly for tests @@ -2451,89 +2036,40 @@ class DatasetteClient: path = f"http://localhost{path}" return path - async def _request(self, method, path, skip_permission_checks=False, **kwargs): - from datasette.permissions import SkipPermissions + async def _request(self, method, path, **kwargs): + async with httpx.AsyncClient( + transport=httpx.ASGITransport(app=self.app), + cookies=kwargs.pop("cookies", None), + ) as client: + return await getattr(client, method)(self._fix(path), **kwargs) - with _DatasetteClientContext(): - if skip_permission_checks: - with SkipPermissions(): - async with httpx.AsyncClient( - transport=httpx.ASGITransport(app=self.app), - cookies=kwargs.pop("cookies", None), - ) as client: - return await getattr(client, method)(self._fix(path), **kwargs) - else: - async with httpx.AsyncClient( - transport=httpx.ASGITransport(app=self.app), - cookies=kwargs.pop("cookies", None), - ) as client: - return await getattr(client, method)(self._fix(path), **kwargs) + async def get(self, path, **kwargs): + return await self._request("get", path, **kwargs) - async def get(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "get", path, skip_permission_checks=skip_permission_checks, **kwargs - ) + async def options(self, path, **kwargs): + return await self._request("options", path, **kwargs) - async def options(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "options", path, skip_permission_checks=skip_permission_checks, **kwargs - ) + async def head(self, path, **kwargs): + return await self._request("head", path, **kwargs) - async def head(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "head", path, skip_permission_checks=skip_permission_checks, **kwargs - ) + async def post(self, path, **kwargs): + return await self._request("post", path, **kwargs) - async def post(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "post", path, skip_permission_checks=skip_permission_checks, **kwargs - ) + async def put(self, path, **kwargs): + return await self._request("put", path, **kwargs) - async def put(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "put", path, skip_permission_checks=skip_permission_checks, **kwargs - ) + async def patch(self, path, **kwargs): + return await self._request("patch", path, **kwargs) - async def patch(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "patch", path, skip_permission_checks=skip_permission_checks, **kwargs - ) - - async def delete(self, path, skip_permission_checks=False, **kwargs): - return await self._request( - "delete", path, skip_permission_checks=skip_permission_checks, **kwargs - ) - - async def request(self, method, path, skip_permission_checks=False, **kwargs): - """Make an HTTP request with the specified method. - - Args: - method: HTTP method (e.g., "GET", "POST", "PUT") - path: The path to request - skip_permission_checks: If True, bypass all permission checks for this request - **kwargs: Additional arguments to pass to httpx - - Returns: - httpx.Response: The response from the request - """ - from datasette.permissions import SkipPermissions + async def delete(self, path, **kwargs): + return await self._request("delete", path, **kwargs) + async def request(self, method, path, **kwargs): avoid_path_rewrites = kwargs.pop("avoid_path_rewrites", None) - with _DatasetteClientContext(): - if skip_permission_checks: - with SkipPermissions(): - async with httpx.AsyncClient( - transport=httpx.ASGITransport(app=self.app), - cookies=kwargs.pop("cookies", None), - ) as client: - return await client.request( - method, self._fix(path, avoid_path_rewrites), **kwargs - ) - else: - async with httpx.AsyncClient( - transport=httpx.ASGITransport(app=self.app), - cookies=kwargs.pop("cookies", None), - ) as client: - return await client.request( - method, self._fix(path, avoid_path_rewrites), **kwargs - ) + async with httpx.AsyncClient( + transport=httpx.ASGITransport(app=self.app), + cookies=kwargs.pop("cookies", None), + ) as client: + return await client.request( + method, self._fix(path, avoid_path_rewrites), **kwargs + ) diff --git a/datasette/cli.py b/datasette/cli.py index 21420491..bacabc4c 100644 --- a/datasette/cli.py +++ b/datasette/cli.py @@ -146,6 +146,7 @@ def inspect(files, inspect_file, sqlite_extensions): This can then be passed to "datasette --inspect-file" to speed up count operations against immutable database files. """ + app = Datasette([], immutables=files, sqlite_extensions=sqlite_extensions) inspect_data = run_sync(lambda: inspect_(files, sqlite_extensions)) if inspect_file == "-": sys.stdout.write(json.dumps(inspect_data, indent=2)) @@ -438,20 +439,10 @@ def uninstall(packages, yes): help="Output URL that sets a cookie authenticating the root user", is_flag=True, ) -@click.option( - "--default-deny", - help="Deny all permissions by default", - is_flag=True, -) @click.option( "--get", help="Run an HTTP GET request against this path, print results and exit", ) -@click.option( - "--headers", - is_flag=True, - help="Include HTTP headers in --get output", -) @click.option( "--token", help="API token to send with --get requests", @@ -519,9 +510,7 @@ def serve( settings, secret, root, - default_deny, get, - headers, token, actor, version_note, @@ -600,23 +589,15 @@ def serve( crossdb=crossdb, nolock=nolock, internal=internal, - default_deny=default_deny, ) - # Separate directories from files - directories = [f for f in files if os.path.isdir(f)] - file_paths = [f for f in files if not os.path.isdir(f)] - - # Handle config_dir - only one directory allowed - if len(directories) > 1: - raise click.ClickException( - "Cannot pass multiple directories. Pass a single directory as config_dir." - ) - elif len(directories) == 1: - kwargs["config_dir"] = pathlib.Path(directories[0]) + # if files is a single directory, use that as config_dir= + if 1 == len(files) and os.path.isdir(files[0]): + kwargs["config_dir"] = pathlib.Path(files[0]) + files = [] # Verify list of files, create if needed (and --create) - for file in file_paths: + for file in files: if not pathlib.Path(file).exists(): if create: sqlite3.connect(file).execute("vacuum") @@ -627,32 +608,8 @@ def serve( ) ) - # Check for duplicate files by resolving all paths to their absolute forms - # Collect all database files that will be loaded (explicit files + config_dir files) - all_db_files = [] - - # Add explicit files - for file in file_paths: - all_db_files.append((file, pathlib.Path(file).resolve())) - - # Add config_dir databases if config_dir is set - if "config_dir" in kwargs: - config_dir = kwargs["config_dir"] - for ext in ("db", "sqlite", "sqlite3"): - for db_file in config_dir.glob(f"*.{ext}"): - all_db_files.append((str(db_file), db_file.resolve())) - - # Check for duplicates - seen = {} - for original_path, resolved_path in all_db_files: - if resolved_path in seen: - raise click.ClickException( - f"Duplicate database file: '{original_path}' and '{seen[resolved_path]}' " - f"both refer to {resolved_path}" - ) - seen[resolved_path] = original_path - - files = file_paths + # De-duplicate files so 'datasette db.db db.db' only attaches one /db + files = list(dict.fromkeys(files)) try: ds = Datasette(files, **kwargs) @@ -671,33 +628,19 @@ def serve( # Run async soundness checks - but only if we're not under pytest run_sync(lambda: check_databases(ds)) - if headers and not get: - raise click.ClickException("--headers can only be used with --get") - if token and not get: raise click.ClickException("--token can only be used with --get") if get: client = TestClient(ds) - request_headers = {} + headers = {} if token: - request_headers["Authorization"] = "Bearer {}".format(token) + headers["Authorization"] = "Bearer {}".format(token) cookies = {} if actor: cookies["ds_actor"] = client.actor_cookie(json.loads(actor)) - response = client.get(get, headers=request_headers, cookies=cookies) - - if headers: - # Output HTTP status code, headers, two newlines, then the response body - click.echo(f"HTTP/1.1 {response.status}") - for key, value in response.headers.items(): - click.echo(f"{key}: {value}") - if response.text: - click.echo() - click.echo(response.text) - else: - click.echo(response.text) - + response = client.get(get, headers=headers, cookies=cookies) + click.echo(response.text) exit_code = 0 if response.status == 200 else 1 sys.exit(exit_code) return @@ -705,7 +648,6 @@ def serve( # Start the server url = None if root: - ds.root_enabled = True url = "http://{}:{}{}?token={}".format( host, port, ds.urls.path("-/auth-token"), ds._root_token ) @@ -823,7 +765,7 @@ def create_token( actions.extend([p[1] for p in databases]) actions.extend([p[2] for p in resources]) for action in actions: - if not ds.actions.get(action): + if not ds.permissions.get(action): click.secho( f" Unknown permission: {action} ", fg="red", diff --git a/datasette/database.py b/datasette/database.py index e5858128..b74f02bb 100644 --- a/datasette/database.py +++ b/datasette/database.py @@ -143,9 +143,7 @@ class Database: return conn.executescript(sql) with trace("sql", database=self.name, sql=sql.strip(), executescript=True): - results = await self.execute_write_fn( - _inner, block=block, transaction=False - ) + results = await self.execute_write_fn(_inner, block=block) return results async def execute_write_many(self, sql, params_seq, block=True): @@ -410,12 +408,7 @@ class Database: # But SQLite prior to 3.16.0 doesn't support pragma functions results = await self.execute("PRAGMA database_list;") # {'seq': 0, 'name': 'main', 'file': ''} - return [ - AttachedDatabase(*row) - for row in results.rows - # Filter out the SQLite internal "temp" database, refs #2557 - if row["seq"] > 0 and row["name"] != "temp" - ] + return [AttachedDatabase(*row) for row in results.rows if row["seq"] > 0] async def table_exists(self, table): results = await self.execute( diff --git a/datasette/default_actions.py b/datasette/default_actions.py deleted file mode 100644 index 87d98fac..00000000 --- a/datasette/default_actions.py +++ /dev/null @@ -1,101 +0,0 @@ -from datasette import hookimpl -from datasette.permissions import Action -from datasette.resources import ( - DatabaseResource, - TableResource, - QueryResource, -) - - -@hookimpl -def register_actions(): - """Register the core Datasette actions.""" - return ( - # Global actions (no resource_class) - Action( - name="view-instance", - abbr="vi", - description="View Datasette instance", - ), - Action( - name="permissions-debug", - abbr="pd", - description="Access permission debug tool", - ), - Action( - name="debug-menu", - abbr="dm", - description="View debug menu items", - ), - # Database-level actions (parent-level) - Action( - name="view-database", - abbr="vd", - description="View database", - resource_class=DatabaseResource, - ), - Action( - name="view-database-download", - abbr="vdd", - description="Download database file", - resource_class=DatabaseResource, - also_requires="view-database", - ), - Action( - name="execute-sql", - abbr="es", - description="Execute read-only SQL queries", - resource_class=DatabaseResource, - also_requires="view-database", - ), - Action( - name="create-table", - abbr="ct", - description="Create tables", - resource_class=DatabaseResource, - ), - # Table-level actions (child-level) - Action( - name="view-table", - abbr="vt", - description="View table", - resource_class=TableResource, - ), - Action( - name="insert-row", - abbr="ir", - description="Insert rows", - resource_class=TableResource, - ), - Action( - name="delete-row", - abbr="dr", - description="Delete rows", - resource_class=TableResource, - ), - Action( - name="update-row", - abbr="ur", - description="Update rows", - resource_class=TableResource, - ), - Action( - name="alter-table", - abbr="at", - description="Alter tables", - resource_class=TableResource, - ), - Action( - name="drop-table", - abbr="dt", - description="Drop tables", - resource_class=TableResource, - ), - # Query-level actions (child-level) - Action( - name="view-query", - abbr="vq", - description="View named query results", - resource_class=QueryResource, - ), - ) diff --git a/datasette/default_menu_links.py b/datasette/default_menu_links.py index 85032387..22e6e46a 100644 --- a/datasette/default_menu_links.py +++ b/datasette/default_menu_links.py @@ -4,7 +4,7 @@ from datasette import hookimpl @hookimpl def menu_links(datasette, actor): async def inner(): - if not await datasette.allowed(action="debug-menu", actor=actor): + if not await datasette.permission_allowed(actor, "debug-menu"): return [] return [ diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py new file mode 100644 index 00000000..757b3a46 --- /dev/null +++ b/datasette/default_permissions.py @@ -0,0 +1,420 @@ +from datasette import hookimpl, Permission +from datasette.utils import actor_matches_allow +import itsdangerous +import time +from typing import Union, Tuple + + +@hookimpl +def register_permissions(): + return ( + Permission( + name="view-instance", + abbr="vi", + description="View Datasette instance", + takes_database=False, + takes_resource=False, + default=True, + ), + Permission( + name="view-database", + abbr="vd", + description="View database", + takes_database=True, + takes_resource=False, + default=True, + implies_can_view=True, + ), + Permission( + name="view-database-download", + abbr="vdd", + description="Download database file", + takes_database=True, + takes_resource=False, + default=True, + ), + Permission( + name="view-table", + abbr="vt", + description="View table", + takes_database=True, + takes_resource=True, + default=True, + implies_can_view=True, + ), + Permission( + name="view-query", + abbr="vq", + description="View named query results", + takes_database=True, + takes_resource=True, + default=True, + implies_can_view=True, + ), + Permission( + name="execute-sql", + abbr="es", + description="Execute read-only SQL queries", + takes_database=True, + takes_resource=False, + default=True, + implies_can_view=True, + ), + Permission( + name="permissions-debug", + abbr="pd", + description="Access permission debug tool", + takes_database=False, + takes_resource=False, + default=False, + ), + Permission( + name="debug-menu", + abbr="dm", + description="View debug menu items", + takes_database=False, + takes_resource=False, + default=False, + ), + Permission( + name="insert-row", + abbr="ir", + description="Insert rows", + takes_database=True, + takes_resource=True, + default=False, + ), + Permission( + name="delete-row", + abbr="dr", + description="Delete rows", + takes_database=True, + takes_resource=True, + default=False, + ), + Permission( + name="update-row", + abbr="ur", + description="Update rows", + takes_database=True, + takes_resource=True, + default=False, + ), + Permission( + name="create-table", + abbr="ct", + description="Create tables", + takes_database=True, + takes_resource=False, + default=False, + ), + Permission( + name="alter-table", + abbr="at", + description="Alter tables", + takes_database=True, + takes_resource=True, + default=False, + ), + Permission( + name="drop-table", + abbr="dt", + description="Drop tables", + takes_database=True, + takes_resource=True, + default=False, + ), + ) + + +@hookimpl(tryfirst=True, specname="permission_allowed") +def permission_allowed_default(datasette, actor, action, resource): + async def inner(): + # id=root gets some special permissions: + if action in ( + "permissions-debug", + "debug-menu", + "insert-row", + "create-table", + "alter-table", + "drop-table", + "delete-row", + "update-row", + ): + if actor and actor.get("id") == "root": + return True + + # Resolve view permissions in allow blocks in configuration + if action in ( + "view-instance", + "view-database", + "view-table", + "view-query", + "execute-sql", + ): + result = await _resolve_config_view_permissions( + datasette, actor, action, resource + ) + if result is not None: + return result + + # Resolve custom permissions: blocks in configuration + result = await _resolve_config_permissions_blocks( + datasette, actor, action, resource + ) + if result is not None: + return result + + # --setting default_allow_sql + if action == "execute-sql" and not datasette.setting("default_allow_sql"): + return False + + return inner + + +async def _resolve_config_permissions_blocks(datasette, actor, action, resource): + # Check custom permissions: blocks + config = datasette.config or {} + root_block = (config.get("permissions", None) or {}).get(action) + if root_block: + root_result = actor_matches_allow(actor, root_block) + if root_result is not None: + return root_result + # Now try database-specific blocks + if not resource: + return None + if isinstance(resource, str): + database = resource + else: + database = resource[0] + database_block = ( + (config.get("databases", {}).get(database, {}).get("permissions", None)) or {} + ).get(action) + if database_block: + database_result = actor_matches_allow(actor, database_block) + if database_result is not None: + return database_result + # Finally try table/query specific blocks + if not isinstance(resource, tuple): + return None + database, table_or_query = resource + table_block = ( + ( + config.get("databases", {}) + .get(database, {}) + .get("tables", {}) + .get(table_or_query, {}) + .get("permissions", None) + ) + or {} + ).get(action) + if table_block: + table_result = actor_matches_allow(actor, table_block) + if table_result is not None: + return table_result + # Finally the canned queries + query_block = ( + ( + config.get("databases", {}) + .get(database, {}) + .get("queries", {}) + .get(table_or_query, {}) + .get("permissions", None) + ) + or {} + ).get(action) + if query_block: + query_result = actor_matches_allow(actor, query_block) + if query_result is not None: + return query_result + return None + + +async def _resolve_config_view_permissions(datasette, actor, action, resource): + config = datasette.config or {} + if action == "view-instance": + allow = config.get("allow") + if allow is not None: + return actor_matches_allow(actor, allow) + elif action == "view-database": + database_allow = ((config.get("databases") or {}).get(resource) or {}).get( + "allow" + ) + if database_allow is None: + return None + return actor_matches_allow(actor, database_allow) + elif action == "view-table": + database, table = resource + tables = ((config.get("databases") or {}).get(database) or {}).get( + "tables" + ) or {} + table_allow = (tables.get(table) or {}).get("allow") + if table_allow is None: + return None + return actor_matches_allow(actor, table_allow) + elif action == "view-query": + # Check if this query has a "allow" block in config + database, query_name = resource + query = await datasette.get_canned_query(database, query_name, actor) + assert query is not None + allow = query.get("allow") + if allow is None: + return None + return actor_matches_allow(actor, allow) + elif action == "execute-sql": + # Use allow_sql block from database block, or from top-level + database_allow_sql = ((config.get("databases") or {}).get(resource) or {}).get( + "allow_sql" + ) + if database_allow_sql is None: + database_allow_sql = config.get("allow_sql") + if database_allow_sql is None: + return None + return actor_matches_allow(actor, database_allow_sql) + + +def restrictions_allow_action( + datasette: "Datasette", + restrictions: dict, + action: str, + resource: Union[str, Tuple[str, str]], +): + "Do these restrictions allow the requested action against the requested resource?" + if action == "view-instance": + # Special case for view-instance: it's allowed if the restrictions include any + # permissions that have the implies_can_view=True flag set + all_rules = restrictions.get("a") or [] + for database_rules in (restrictions.get("d") or {}).values(): + all_rules += database_rules + for database_resource_rules in (restrictions.get("r") or {}).values(): + for resource_rules in database_resource_rules.values(): + all_rules += resource_rules + permissions = [datasette.get_permission(action) for action in all_rules] + if any(p for p in permissions if p.implies_can_view): + return True + + if action == "view-database": + # Special case for view-database: it's allowed if the restrictions include any + # permissions that have the implies_can_view=True flag set AND takes_database + all_rules = restrictions.get("a") or [] + database_rules = list((restrictions.get("d") or {}).get(resource) or []) + all_rules += database_rules + resource_rules = ((restrictions.get("r") or {}).get(resource) or {}).values() + for resource_rules in (restrictions.get("r") or {}).values(): + for table_rules in resource_rules.values(): + all_rules += table_rules + permissions = [datasette.get_permission(action) for action in all_rules] + if any(p for p in permissions if p.implies_can_view and p.takes_database): + return True + + # Does this action have an abbreviation? + to_check = {action} + permission = datasette.permissions.get(action) + if permission and permission.abbr: + to_check.add(permission.abbr) + + # If restrictions is defined then we use those to further restrict the actor + # Crucially, we only use this to say NO (return False) - we never + # use it to return YES (True) because that might over-ride other + # restrictions placed on this actor + all_allowed = restrictions.get("a") + if all_allowed is not None: + assert isinstance(all_allowed, list) + if to_check.intersection(all_allowed): + return True + # How about for the current database? + if resource: + if isinstance(resource, str): + database_name = resource + else: + database_name = resource[0] + database_allowed = restrictions.get("d", {}).get(database_name) + if database_allowed is not None: + assert isinstance(database_allowed, list) + if to_check.intersection(database_allowed): + return True + # Or the current table? That's any time the resource is (database, table) + if resource is not None and not isinstance(resource, str) and len(resource) == 2: + database, table = resource + table_allowed = restrictions.get("r", {}).get(database, {}).get(table) + # TODO: What should this do for canned queries? + if table_allowed is not None: + assert isinstance(table_allowed, list) + if to_check.intersection(table_allowed): + return True + + # This action is not specifically allowed, so reject it + return False + + +@hookimpl(specname="permission_allowed") +def permission_allowed_actor_restrictions(datasette, actor, action, resource): + if actor is None: + return None + if "_r" not in actor: + # No restrictions, so we have no opinion + return None + _r = actor.get("_r") + if restrictions_allow_action(datasette, _r, action, resource): + # Return None because we do not have an opinion here + return None + else: + # Block this permission check + return False + + +@hookimpl +def actor_from_request(datasette, request): + prefix = "dstok_" + if not datasette.setting("allow_signed_tokens"): + return None + max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl") + authorization = request.headers.get("authorization") + if not authorization: + return None + if not authorization.startswith("Bearer "): + return None + token = authorization[len("Bearer ") :] + if not token.startswith(prefix): + return None + token = token[len(prefix) :] + try: + decoded = datasette.unsign(token, namespace="token") + except itsdangerous.BadSignature: + return None + if "t" not in decoded: + # Missing timestamp + return None + created = decoded["t"] + if not isinstance(created, int): + # Invalid timestamp + return None + duration = decoded.get("d") + if duration is not None and not isinstance(duration, int): + # Invalid duration + return None + if (duration is None and max_signed_tokens_ttl) or ( + duration is not None + and max_signed_tokens_ttl + and duration > max_signed_tokens_ttl + ): + duration = max_signed_tokens_ttl + if duration: + if time.time() - created > duration: + # Expired + return None + actor = {"id": decoded["a"], "token": "dstok"} + if "_r" in decoded: + actor["_r"] = decoded["_r"] + if duration: + actor["token_expires"] = created + duration + return actor + + +@hookimpl +def skip_csrf(scope): + # Skip CSRF check for requests with content-type: application/json + if scope["type"] == "http": + headers = scope.get("headers") or {} + if dict(headers).get(b"content-type") == b"application/json": + return True diff --git a/datasette/default_permissions/__init__.py b/datasette/default_permissions/__init__.py deleted file mode 100644 index 4c82d705..00000000 --- a/datasette/default_permissions/__init__.py +++ /dev/null @@ -1,59 +0,0 @@ -""" -Default permission implementations for Datasette. - -This module provides the built-in permission checking logic through implementations -of the permission_resources_sql hook. The hooks are organized by their purpose: - -1. Actor Restrictions - Enforces _r allowlists embedded in actor tokens -2. Root User - Grants full access when --root flag is used -3. Config Rules - Applies permissions from datasette.yaml -4. Default Settings - Enforces default_allow_sql and default view permissions - -IMPORTANT: These hooks return PermissionSQL objects that are combined using SQL -UNION/INTERSECT operations. The order of evaluation is: - - restriction_sql fields are INTERSECTed (all must match) - - Regular sql fields are UNIONed and evaluated with cascading priority -""" - -from __future__ import annotations - -from typing import TYPE_CHECKING, Optional - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette import hookimpl - -# Re-export all hooks and public utilities -from .restrictions import ( - actor_restrictions_sql, - restrictions_allow_action, - ActorRestrictions, -) -from .root import root_user_permissions_sql -from .config import config_permissions_sql -from .defaults import ( - default_allow_sql_check, - default_action_permissions_sql, - DEFAULT_ALLOW_ACTIONS, -) -from .tokens import actor_from_signed_api_token - - -@hookimpl -def skip_csrf(scope) -> Optional[bool]: - """Skip CSRF check for JSON content-type requests.""" - if scope["type"] == "http": - headers = scope.get("headers") or {} - if dict(headers).get(b"content-type") == b"application/json": - return True - return None - - -@hookimpl -def canned_queries(datasette: "Datasette", database: str, actor) -> dict: - """Return canned queries defined in datasette.yaml configuration.""" - queries = ( - ((datasette.config or {}).get("databases") or {}).get(database) or {} - ).get("queries") or {} - return queries diff --git a/datasette/default_permissions/config.py b/datasette/default_permissions/config.py deleted file mode 100644 index aab87c1c..00000000 --- a/datasette/default_permissions/config.py +++ /dev/null @@ -1,442 +0,0 @@ -""" -Config-based permission handling for Datasette. - -Applies permission rules from datasette.yaml configuration. -""" - -from __future__ import annotations - -from typing import TYPE_CHECKING, Any, List, Optional, Set, Tuple - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette import hookimpl -from datasette.permissions import PermissionSQL -from datasette.utils import actor_matches_allow - -from .helpers import PermissionRowCollector, get_action_name_variants - - -class ConfigPermissionProcessor: - """ - Processes permission rules from datasette.yaml configuration. - - Configuration structure: - - permissions: # Root-level permissions block - view-instance: - id: admin - - databases: - mydb: - permissions: # Database-level permissions - view-database: - id: admin - allow: # Database-level allow block (for view-*) - id: viewer - allow_sql: # execute-sql allow block - id: analyst - tables: - users: - permissions: # Table-level permissions - view-table: - id: admin - allow: # Table-level allow block - id: viewer - queries: - my_query: - permissions: # Query-level permissions - view-query: - id: admin - allow: # Query-level allow block - id: viewer - """ - - def __init__( - self, - datasette: "Datasette", - actor: Optional[dict], - action: str, - ): - self.datasette = datasette - self.actor = actor - self.action = action - self.config = datasette.config or {} - self.collector = PermissionRowCollector(prefix="cfg") - - # Pre-compute action variants - self.action_checks = get_action_name_variants(datasette, action) - self.action_obj = datasette.actions.get(action) - - # Parse restrictions if present - self.has_restrictions = actor and "_r" in actor if actor else False - self.restrictions = actor.get("_r", {}) if actor else {} - - # Pre-compute restriction info for efficiency - self.restricted_databases: Set[str] = set() - self.restricted_tables: Set[Tuple[str, str]] = set() - - if self.has_restrictions: - self.restricted_databases = { - db_name - for db_name, db_actions in (self.restrictions.get("d") or {}).items() - if self.action_checks.intersection(db_actions) - } - self.restricted_tables = { - (db_name, table_name) - for db_name, tables in (self.restrictions.get("r") or {}).items() - for table_name, table_actions in tables.items() - if self.action_checks.intersection(table_actions) - } - # Tables implicitly reference their parent databases - self.restricted_databases.update(db for db, _ in self.restricted_tables) - - def evaluate_allow_block(self, allow_block: Any) -> Optional[bool]: - """Evaluate an allow block against the current actor.""" - if allow_block is None: - return None - return actor_matches_allow(self.actor, allow_block) - - def is_in_restriction_allowlist( - self, - parent: Optional[str], - child: Optional[str], - ) -> bool: - """Check if resource is allowed by actor restrictions.""" - if not self.has_restrictions: - return True # No restrictions, all resources allowed - - # Check global allowlist - if self.action_checks.intersection(self.restrictions.get("a", [])): - return True - - # Check database-level allowlist - if parent and self.action_checks.intersection( - self.restrictions.get("d", {}).get(parent, []) - ): - return True - - # Check table-level allowlist - if parent: - table_restrictions = (self.restrictions.get("r", {}) or {}).get(parent, {}) - if child: - table_actions = table_restrictions.get(child, []) - if self.action_checks.intersection(table_actions): - return True - else: - # Parent query should proceed if any child in this database is allowlisted - for table_actions in table_restrictions.values(): - if self.action_checks.intersection(table_actions): - return True - - # Parent/child both None: include if any restrictions exist for this action - if parent is None and child is None: - if self.action_checks.intersection(self.restrictions.get("a", [])): - return True - if self.restricted_databases: - return True - if self.restricted_tables: - return True - - return False - - def add_permissions_rule( - self, - parent: Optional[str], - child: Optional[str], - permissions_block: Optional[dict], - scope_desc: str, - ) -> None: - """Add a rule from a permissions:{action} block.""" - if permissions_block is None: - return - - action_allow_block = permissions_block.get(self.action) - result = self.evaluate_allow_block(action_allow_block) - - self.collector.add( - parent=parent, - child=child, - allow=result, - reason=f"config {'allow' if result else 'deny'} {scope_desc}", - if_not_none=True, - ) - - def add_allow_block_rule( - self, - parent: Optional[str], - child: Optional[str], - allow_block: Any, - scope_desc: str, - ) -> None: - """ - Add rules from an allow:{} block. - - For allow blocks, if the block exists but doesn't match the actor, - this is treated as a deny. We also handle the restriction-gate logic. - """ - if allow_block is None: - return - - # Skip if resource is not in restriction allowlist - if not self.is_in_restriction_allowlist(parent, child): - return - - result = self.evaluate_allow_block(allow_block) - bool_result = bool(result) - - self.collector.add( - parent, - child, - bool_result, - f"config {'allow' if result else 'deny'} {scope_desc}", - ) - - # Handle restriction-gate: add explicit denies for restricted resources - self._add_restriction_gate_denies(parent, child, bool_result, scope_desc) - - def _add_restriction_gate_denies( - self, - parent: Optional[str], - child: Optional[str], - is_allowed: bool, - scope_desc: str, - ) -> None: - """ - When a config rule denies at a higher level, add explicit denies - for restricted resources to prevent child-level allows from - incorrectly granting access. - """ - if is_allowed or child is not None or not self.has_restrictions: - return - - if not self.action_obj: - return - - reason = f"config deny {scope_desc} (restriction gate)" - - if parent is None: - # Root-level deny: add denies for all restricted resources - if self.action_obj.takes_parent: - for db_name in self.restricted_databases: - self.collector.add(db_name, None, False, reason) - if self.action_obj.takes_child: - for db_name, table_name in self.restricted_tables: - self.collector.add(db_name, table_name, False, reason) - else: - # Database-level deny: add denies for tables in that database - if self.action_obj.takes_child: - for db_name, table_name in self.restricted_tables: - if db_name == parent: - self.collector.add(db_name, table_name, False, reason) - - def process(self) -> Optional[PermissionSQL]: - """Process all config rules and return combined PermissionSQL.""" - self._process_root_permissions() - self._process_databases() - self._process_root_allow_blocks() - - return self.collector.to_permission_sql() - - def _process_root_permissions(self) -> None: - """Process root-level permissions block.""" - root_perms = self.config.get("permissions") or {} - self.add_permissions_rule( - None, - None, - root_perms, - f"permissions for {self.action}", - ) - - def _process_databases(self) -> None: - """Process database-level and nested configurations.""" - databases = self.config.get("databases") or {} - - for db_name, db_config in databases.items(): - self._process_database(db_name, db_config or {}) - - def _process_database(self, db_name: str, db_config: dict) -> None: - """Process a single database's configuration.""" - # Database-level permissions block - db_perms = db_config.get("permissions") or {} - self.add_permissions_rule( - db_name, - None, - db_perms, - f"permissions for {self.action} on {db_name}", - ) - - # Process tables - for table_name, table_config in (db_config.get("tables") or {}).items(): - self._process_table(db_name, table_name, table_config or {}) - - # Process queries - for query_name, query_config in (db_config.get("queries") or {}).items(): - self._process_query(db_name, query_name, query_config) - - # Database-level allow blocks - self._process_database_allow_blocks(db_name, db_config) - - def _process_table( - self, - db_name: str, - table_name: str, - table_config: dict, - ) -> None: - """Process a single table's configuration.""" - # Table-level permissions block - table_perms = table_config.get("permissions") or {} - self.add_permissions_rule( - db_name, - table_name, - table_perms, - f"permissions for {self.action} on {db_name}/{table_name}", - ) - - # Table-level allow block (for view-table) - if self.action == "view-table": - self.add_allow_block_rule( - db_name, - table_name, - table_config.get("allow"), - f"allow for {self.action} on {db_name}/{table_name}", - ) - - def _process_query( - self, - db_name: str, - query_name: str, - query_config: Any, - ) -> None: - """Process a single query's configuration.""" - # Query config can be a string (just SQL) or dict - if not isinstance(query_config, dict): - return - - # Query-level permissions block - query_perms = query_config.get("permissions") or {} - self.add_permissions_rule( - db_name, - query_name, - query_perms, - f"permissions for {self.action} on {db_name}/{query_name}", - ) - - # Query-level allow block (for view-query) - if self.action == "view-query": - self.add_allow_block_rule( - db_name, - query_name, - query_config.get("allow"), - f"allow for {self.action} on {db_name}/{query_name}", - ) - - def _process_database_allow_blocks( - self, - db_name: str, - db_config: dict, - ) -> None: - """Process database-level allow/allow_sql blocks.""" - # view-database allow block - if self.action == "view-database": - self.add_allow_block_rule( - db_name, - None, - db_config.get("allow"), - f"allow for {self.action} on {db_name}", - ) - - # execute-sql allow_sql block - if self.action == "execute-sql": - self.add_allow_block_rule( - db_name, - None, - db_config.get("allow_sql"), - f"allow_sql for {db_name}", - ) - - # view-table uses database-level allow for inheritance - if self.action == "view-table": - self.add_allow_block_rule( - db_name, - None, - db_config.get("allow"), - f"allow for {self.action} on {db_name}", - ) - - # view-query uses database-level allow for inheritance - if self.action == "view-query": - self.add_allow_block_rule( - db_name, - None, - db_config.get("allow"), - f"allow for {self.action} on {db_name}", - ) - - def _process_root_allow_blocks(self) -> None: - """Process root-level allow/allow_sql blocks.""" - root_allow = self.config.get("allow") - - if self.action == "view-instance": - self.add_allow_block_rule( - None, - None, - root_allow, - "allow for view-instance", - ) - - if self.action == "view-database": - self.add_allow_block_rule( - None, - None, - root_allow, - "allow for view-database", - ) - - if self.action == "view-table": - self.add_allow_block_rule( - None, - None, - root_allow, - "allow for view-table", - ) - - if self.action == "view-query": - self.add_allow_block_rule( - None, - None, - root_allow, - "allow for view-query", - ) - - if self.action == "execute-sql": - self.add_allow_block_rule( - None, - None, - self.config.get("allow_sql"), - "allow_sql", - ) - - -@hookimpl(specname="permission_resources_sql") -async def config_permissions_sql( - datasette: "Datasette", - actor: Optional[dict], - action: str, -) -> Optional[List[PermissionSQL]]: - """ - Apply permission rules from datasette.yaml configuration. - - This processes: - - permissions: blocks at root, database, table, and query levels - - allow: blocks for view-* actions - - allow_sql: blocks for execute-sql action - """ - processor = ConfigPermissionProcessor(datasette, actor, action) - result = processor.process() - - if result is None: - return [] - - return [result] diff --git a/datasette/default_permissions/defaults.py b/datasette/default_permissions/defaults.py deleted file mode 100644 index f5a6a270..00000000 --- a/datasette/default_permissions/defaults.py +++ /dev/null @@ -1,70 +0,0 @@ -""" -Default permission settings for Datasette. - -Provides default allow rules for standard view/execute actions. -""" - -from __future__ import annotations - -from typing import TYPE_CHECKING, Optional - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette import hookimpl -from datasette.permissions import PermissionSQL - - -# Actions that are allowed by default (unless --default-deny is used) -DEFAULT_ALLOW_ACTIONS = frozenset( - { - "view-instance", - "view-database", - "view-database-download", - "view-table", - "view-query", - "execute-sql", - } -) - - -@hookimpl(specname="permission_resources_sql") -async def default_allow_sql_check( - datasette: "Datasette", - actor: Optional[dict], - action: str, -) -> Optional[PermissionSQL]: - """ - Enforce the default_allow_sql setting. - - When default_allow_sql is false (the default), execute-sql is denied - unless explicitly allowed by config or other rules. - """ - if action == "execute-sql": - if not datasette.setting("default_allow_sql"): - return PermissionSQL.deny(reason="default_allow_sql is false") - - return None - - -@hookimpl(specname="permission_resources_sql") -async def default_action_permissions_sql( - datasette: "Datasette", - actor: Optional[dict], - action: str, -) -> Optional[PermissionSQL]: - """ - Provide default allow rules for standard view/execute actions. - - These defaults are skipped when datasette is started with --default-deny. - The restriction_sql mechanism (from actor_restrictions_sql) will still - filter these results if the actor has restrictions. - """ - if datasette.default_deny: - return None - - if action in DEFAULT_ALLOW_ACTIONS: - reason = f"default allow for {action}".replace("'", "''") - return PermissionSQL.allow(reason=reason) - - return None diff --git a/datasette/default_permissions/helpers.py b/datasette/default_permissions/helpers.py deleted file mode 100644 index 47e03569..00000000 --- a/datasette/default_permissions/helpers.py +++ /dev/null @@ -1,85 +0,0 @@ -""" -Shared helper utilities for default permission implementations. -""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import TYPE_CHECKING, List, Optional, Set - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette.permissions import PermissionSQL - - -def get_action_name_variants(datasette: "Datasette", action: str) -> Set[str]: - """ - Get all name variants for an action (full name and abbreviation). - - Example: - get_action_name_variants(ds, "view-table") -> {"view-table", "vt"} - """ - variants = {action} - action_obj = datasette.actions.get(action) - if action_obj and action_obj.abbr: - variants.add(action_obj.abbr) - return variants - - -def action_in_list(datasette: "Datasette", action: str, action_list: list) -> bool: - """Check if an action (or its abbreviation) is in a list.""" - return bool(get_action_name_variants(datasette, action).intersection(action_list)) - - -@dataclass -class PermissionRow: - """A single permission rule row.""" - - parent: Optional[str] - child: Optional[str] - allow: bool - reason: str - - -class PermissionRowCollector: - """Collects permission rows and converts them to PermissionSQL.""" - - def __init__(self, prefix: str = "row"): - self.rows: List[PermissionRow] = [] - self.prefix = prefix - - def add( - self, - parent: Optional[str], - child: Optional[str], - allow: Optional[bool], - reason: str, - if_not_none: bool = False, - ) -> None: - """Add a permission row. If if_not_none=True, only add if allow is not None.""" - if if_not_none and allow is None: - return - self.rows.append(PermissionRow(parent, child, allow, reason)) - - def to_permission_sql(self) -> Optional[PermissionSQL]: - """Convert collected rows to a PermissionSQL object.""" - if not self.rows: - return None - - parts = [] - params = {} - - for idx, row in enumerate(self.rows): - key = f"{self.prefix}_{idx}" - parts.append( - f"SELECT :{key}_parent AS parent, :{key}_child AS child, " - f":{key}_allow AS allow, :{key}_reason AS reason" - ) - params[f"{key}_parent"] = row.parent - params[f"{key}_child"] = row.child - params[f"{key}_allow"] = 1 if row.allow else 0 - params[f"{key}_reason"] = row.reason - - sql = "\nUNION ALL\n".join(parts) - return PermissionSQL(sql=sql, params=params) diff --git a/datasette/default_permissions/restrictions.py b/datasette/default_permissions/restrictions.py deleted file mode 100644 index a22cd7e5..00000000 --- a/datasette/default_permissions/restrictions.py +++ /dev/null @@ -1,195 +0,0 @@ -""" -Actor restriction handling for Datasette permissions. - -This module handles the _r (restrictions) key in actor dictionaries, which -contains allowlists of resources the actor can access. -""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import TYPE_CHECKING, List, Optional, Set, Tuple - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette import hookimpl -from datasette.permissions import PermissionSQL - -from .helpers import action_in_list, get_action_name_variants - - -@dataclass -class ActorRestrictions: - """Parsed actor restrictions from the _r key.""" - - global_actions: List[str] # _r.a - globally allowed actions - database_actions: dict # _r.d - {db_name: [actions]} - table_actions: dict # _r.r - {db_name: {table: [actions]}} - - @classmethod - def from_actor(cls, actor: Optional[dict]) -> Optional["ActorRestrictions"]: - """Parse restrictions from actor dict. Returns None if no restrictions.""" - if not actor: - return None - assert isinstance(actor, dict), "actor must be a dictionary" - - restrictions = actor.get("_r") - if restrictions is None: - return None - - return cls( - global_actions=restrictions.get("a", []), - database_actions=restrictions.get("d", {}), - table_actions=restrictions.get("r", {}), - ) - - def is_action_globally_allowed(self, datasette: "Datasette", action: str) -> bool: - """Check if action is in the global allowlist.""" - return action_in_list(datasette, action, self.global_actions) - - def get_allowed_databases(self, datasette: "Datasette", action: str) -> Set[str]: - """Get database names where this action is allowed.""" - allowed = set() - for db_name, db_actions in self.database_actions.items(): - if action_in_list(datasette, action, db_actions): - allowed.add(db_name) - return allowed - - def get_allowed_tables( - self, datasette: "Datasette", action: str - ) -> Set[Tuple[str, str]]: - """Get (database, table) pairs where this action is allowed.""" - allowed = set() - for db_name, tables in self.table_actions.items(): - for table_name, table_actions in tables.items(): - if action_in_list(datasette, action, table_actions): - allowed.add((db_name, table_name)) - return allowed - - -@hookimpl(specname="permission_resources_sql") -async def actor_restrictions_sql( - datasette: "Datasette", - actor: Optional[dict], - action: str, -) -> Optional[List[PermissionSQL]]: - """ - Handle actor restriction-based permission rules. - - When an actor has an "_r" key, it contains an allowlist of resources they - can access. This function returns restriction_sql that filters the final - results to only include resources in that allowlist. - - The _r structure: - { - "a": ["vi", "pd"], # Global actions allowed - "d": {"mydb": ["vt", "es"]}, # Database-level actions - "r": {"mydb": {"users": ["vt"]}} # Table-level actions - } - """ - if not actor: - return None - - restrictions = ActorRestrictions.from_actor(actor) - - if restrictions is None: - # No restrictions - all resources allowed - return [] - - # If globally allowed, no filtering needed - if restrictions.is_action_globally_allowed(datasette, action): - return [] - - # Build restriction SQL - allowed_dbs = restrictions.get_allowed_databases(datasette, action) - allowed_tables = restrictions.get_allowed_tables(datasette, action) - - # If nothing is allowed for this action, return empty-set restriction - if not allowed_dbs and not allowed_tables: - return [ - PermissionSQL( - params={"deny": f"actor restrictions: {action} not in allowlist"}, - restriction_sql="SELECT NULL AS parent, NULL AS child WHERE 0", - ) - ] - - # Build UNION of allowed resources - selects = [] - params = {} - counter = 0 - - # Database-level entries (parent, NULL) - allows all children - for db_name in allowed_dbs: - key = f"restr_{counter}" - counter += 1 - selects.append(f"SELECT :{key}_parent AS parent, NULL AS child") - params[f"{key}_parent"] = db_name - - # Table-level entries (parent, child) - for db_name, table_name in allowed_tables: - key = f"restr_{counter}" - counter += 1 - selects.append(f"SELECT :{key}_parent AS parent, :{key}_child AS child") - params[f"{key}_parent"] = db_name - params[f"{key}_child"] = table_name - - restriction_sql = "\nUNION ALL\n".join(selects) - - return [PermissionSQL(params=params, restriction_sql=restriction_sql)] - - -def restrictions_allow_action( - datasette: "Datasette", - restrictions: dict, - action: str, - resource: Optional[str | Tuple[str, str]], -) -> bool: - """ - Check if restrictions allow the requested action on the requested resource. - - This is a synchronous utility function for use by other code that needs - to quickly check restriction allowlists. - - Args: - datasette: The Datasette instance - restrictions: The _r dict from an actor - action: The action name to check - resource: None for global, str for database, (db, table) tuple for table - - Returns: - True if allowed, False if denied - """ - # Does this action have an abbreviation? - to_check = get_action_name_variants(datasette, action) - - # Check global level (any resource) - all_allowed = restrictions.get("a") - if all_allowed is not None: - assert isinstance(all_allowed, list) - if to_check.intersection(all_allowed): - return True - - # Check database level - if resource: - if isinstance(resource, str): - database_name = resource - else: - database_name = resource[0] - database_allowed = restrictions.get("d", {}).get(database_name) - if database_allowed is not None: - assert isinstance(database_allowed, list) - if to_check.intersection(database_allowed): - return True - - # Check table/resource level - if resource is not None and not isinstance(resource, str) and len(resource) == 2: - database, table = resource - table_allowed = restrictions.get("r", {}).get(database, {}).get(table) - if table_allowed is not None: - assert isinstance(table_allowed, list) - if to_check.intersection(table_allowed): - return True - - # This action is not explicitly allowed, so reject it - return False diff --git a/datasette/default_permissions/root.py b/datasette/default_permissions/root.py deleted file mode 100644 index 4931f7ff..00000000 --- a/datasette/default_permissions/root.py +++ /dev/null @@ -1,29 +0,0 @@ -""" -Root user permission handling for Datasette. - -Grants full permissions to the root user when --root flag is used. -""" - -from __future__ import annotations - -from typing import TYPE_CHECKING, Optional - -if TYPE_CHECKING: - from datasette.app import Datasette - -from datasette import hookimpl -from datasette.permissions import PermissionSQL - - -@hookimpl(specname="permission_resources_sql") -async def root_user_permissions_sql( - datasette: "Datasette", - actor: Optional[dict], -) -> Optional[PermissionSQL]: - """ - Grant root user full permissions when --root flag is used. - """ - if not datasette.root_enabled: - return None - if actor is not None and actor.get("id") == "root": - return PermissionSQL.allow(reason="root user") diff --git a/datasette/default_permissions/tokens.py b/datasette/default_permissions/tokens.py deleted file mode 100644 index 474b0c23..00000000 --- a/datasette/default_permissions/tokens.py +++ /dev/null @@ -1,95 +0,0 @@ -""" -Token authentication for Datasette. - -Handles signed API tokens (dstok_ prefix). -""" - -from __future__ import annotations - -import time -from typing import TYPE_CHECKING, Optional - -if TYPE_CHECKING: - from datasette.app import Datasette - -import itsdangerous - -from datasette import hookimpl - - -@hookimpl(specname="actor_from_request") -def actor_from_signed_api_token(datasette: "Datasette", request) -> Optional[dict]: - """ - Authenticate requests using signed API tokens (dstok_ prefix). - - Token structure (signed JSON): - { - "a": "actor_id", # Actor ID - "t": 1234567890, # Timestamp (Unix epoch) - "d": 3600, # Optional: Duration in seconds - "_r": {...} # Optional: Restrictions - } - """ - prefix = "dstok_" - - # Check if tokens are enabled - if not datasette.setting("allow_signed_tokens"): - return None - - max_signed_tokens_ttl = datasette.setting("max_signed_tokens_ttl") - - # Get authorization header - authorization = request.headers.get("authorization") - if not authorization: - return None - if not authorization.startswith("Bearer "): - return None - - token = authorization[len("Bearer ") :] - if not token.startswith(prefix): - return None - - # Remove prefix and verify signature - token = token[len(prefix) :] - try: - decoded = datasette.unsign(token, namespace="token") - except itsdangerous.BadSignature: - return None - - # Validate timestamp - if "t" not in decoded: - return None - created = decoded["t"] - if not isinstance(created, int): - return None - - # Handle duration/expiry - duration = decoded.get("d") - if duration is not None and not isinstance(duration, int): - return None - - # Apply max TTL if configured - if (duration is None and max_signed_tokens_ttl) or ( - duration is not None - and max_signed_tokens_ttl - and duration > max_signed_tokens_ttl - ): - duration = max_signed_tokens_ttl - - # Check expiry - if duration: - if time.time() - created > duration: - return None - - # Build actor dict - actor = {"id": decoded["a"], "token": "dstok"} - - # Copy restrictions if present - if "_r" in decoded: - actor["_r"] = decoded["_r"] - - # Add expiry timestamp if applicable - if duration: - actor["token_expires"] = created + duration - - return actor diff --git a/datasette/events.py b/datasette/events.py index 5cd5ba3d..ae90972d 100644 --- a/datasette/events.py +++ b/datasette/events.py @@ -2,6 +2,7 @@ from abc import ABC, abstractproperty from dataclasses import asdict, dataclass, field from datasette.hookspecs import hookimpl from datetime import datetime, timezone +from typing import Optional @dataclass @@ -13,7 +14,7 @@ class Event(ABC): created: datetime = field( init=False, default_factory=lambda: datetime.now(timezone.utc) ) - actor: dict | None + actor: Optional[dict] def properties(self): properties = asdict(self) @@ -62,7 +63,7 @@ class CreateTokenEvent(Event): """ name = "create-token" - expires_after: int | None + expires_after: Optional[int] restrict_all: list restrict_database: dict restrict_resource: dict diff --git a/datasette/filters.py b/datasette/filters.py index 95cc5f37..67d4170b 100644 --- a/datasette/filters.py +++ b/datasette/filters.py @@ -1,8 +1,8 @@ from datasette import hookimpl -from datasette.resources import DatabaseResource from datasette.views.base import DatasetteError from datasette.utils.asgi import BadRequest import json +import numbers from .utils import detect_json1, escape_sqlite, path_with_removed_args @@ -13,10 +13,11 @@ def where_filters(request, database, datasette): where_clauses = [] extra_wheres_for_ui = [] if "_where" in request.args: - if not await datasette.allowed( - action="execute-sql", - resource=DatabaseResource(database=database), - actor=request.actor, + if not await datasette.permission_allowed( + request.actor, + "execute-sql", + resource=database, + default=True, ): raise DatasetteError("_where= is not allowed", status=403) else: diff --git a/datasette/hookspecs.py b/datasette/hookspecs.py index 3f6a1425..bcc2e229 100644 --- a/datasette/hookspecs.py +++ b/datasette/hookspecs.py @@ -70,8 +70,8 @@ def register_facet_classes(): @hookspec -def register_actions(datasette): - """Register actions: returns a list of datasette.permission.Action objects""" +def register_permissions(datasette): + """Register permissions: returns a list of datasette.permission.Permission named tuples""" @hookspec @@ -111,15 +111,8 @@ def filters_from_request(request, database, table, datasette): @hookspec -def permission_resources_sql(datasette, actor, action): - """Return SQL query fragments for permission checks on resources. - - Returns None, a PermissionSQL object, or a list of PermissionSQL objects. - Each PermissionSQL contains SQL that should return rows with columns: - parent (str|None), child (str|None), allow (int), reason (str). - - Used to efficiently check permissions across multiple resources at once. - """ +def permission_allowed(datasette, actor, action, resource): + """Check if actor is allowed to perform this action - return True, False or None""" @hookspec diff --git a/datasette/permissions.py b/datasette/permissions.py index c48293ac..bd42158e 100644 --- a/datasette/permissions.py +++ b/datasette/permissions.py @@ -1,206 +1,12 @@ -from abc import ABC, abstractmethod from dataclasses import dataclass -from typing import Any, NamedTuple -import contextvars +from typing import Optional -# Context variable to track when permission checks should be skipped -_skip_permission_checks = contextvars.ContextVar( - "skip_permission_checks", default=False -) - - -class SkipPermissions: - """Context manager to temporarily skip permission checks. - - This is not a stable API and may change in future releases. - - Usage: - with SkipPermissions(): - # Permission checks are skipped within this block - response = await datasette.client.get("/protected") - """ - - def __enter__(self): - self.token = _skip_permission_checks.set(True) - return self - - def __exit__(self, exc_type, exc_val, exc_tb): - _skip_permission_checks.reset(self.token) - return False - - -class Resource(ABC): - """ - Base class for all resource types. - - Each subclass represents a type of resource (e.g., TableResource, DatabaseResource). - The class itself carries metadata about the resource type. - Instances represent specific resources. - """ - - # Class-level metadata (subclasses must define these) - name: str = None # e.g., "table", "database", "model" - parent_class: type["Resource"] | None = None # e.g., DatabaseResource for tables - - # Instance-level optional extra attributes - reasons: list[str] | None = None - include_reasons: bool | None = None - - def __init__(self, parent: str | None = None, child: str | None = None): - """ - Create a resource instance. - - Args: - parent: The parent identifier (meaning depends on resource type) - child: The child identifier (meaning depends on resource type) - """ - self.parent = parent - self.child = child - self._private = None # Sentinel to track if private was set - - @property - def private(self) -> bool: - """ - Whether this resource is private (accessible to actor but not anonymous). - - This property is only available on Resource objects returned from - allowed_resources() when include_is_private=True is used. - - Raises: - AttributeError: If accessed without calling include_is_private=True - """ - if self._private is None: - raise AttributeError( - "The 'private' attribute is only available when using " - "allowed_resources(..., include_is_private=True)" - ) - return self._private - - @private.setter - def private(self, value: bool): - self._private = value - - @classmethod - def __init_subclass__(cls): - """ - Validate resource hierarchy doesn't exceed 2 levels. - - Raises: - ValueError: If this resource would create a 3-level hierarchy - """ - super().__init_subclass__() - - if cls.parent_class is None: - return # Top of hierarchy, nothing to validate - - # Check if our parent has a parent - that would create 3 levels - if cls.parent_class.parent_class is not None: - # We have a parent, and that parent has a parent - # This creates a 3-level hierarchy, which is not allowed - raise ValueError( - f"Resource {cls.__name__} creates a 3-level hierarchy: " - f"{cls.parent_class.parent_class.__name__} -> {cls.parent_class.__name__} -> {cls.__name__}. " - f"Maximum 2 levels allowed (parent -> child)." - ) - - @classmethod - @abstractmethod - def resources_sql(cls) -> str: - """ - Return SQL query that returns all resources of this type. - - Must return two columns: parent, child - """ - pass - - -class AllowedResource(NamedTuple): - """A resource with the reason it was allowed (for debugging).""" - - resource: Resource - reason: str - - -@dataclass(frozen=True, kw_only=True) -class Action: - name: str - description: str | None - abbr: str | None = None - resource_class: type[Resource] | None = None - also_requires: str | None = None # Optional action name that must also be allowed - - @property - def takes_parent(self) -> bool: - """ - Whether this action requires a parent identifier when instantiating its resource. - - Returns False for global-only actions (no resource_class). - Returns True for all actions with a resource_class (all resources require a parent identifier). - """ - return self.resource_class is not None - - @property - def takes_child(self) -> bool: - """ - Whether this action requires a child identifier when instantiating its resource. - - Returns False for global actions (no resource_class). - Returns False for parent-level resources (DatabaseResource - parent_class is None). - Returns True for child-level resources (TableResource, QueryResource - have a parent_class). - """ - if self.resource_class is None: - return False - return self.resource_class.parent_class is not None - - -_reason_id = 1 - - -@dataclass -class PermissionSQL: - """ - A plugin contributes SQL that yields: - parent TEXT NULL, - child TEXT NULL, - allow INTEGER, -- 1 allow, 0 deny - reason TEXT - - For restriction-only plugins, sql can be None and only restriction_sql is provided. - """ - - sql: str | None = ( - None # SQL that SELECTs the 4 columns above (can be None for restriction-only) - ) - params: dict[str, Any] | None = ( - None # bound params for the SQL (values only; no ':' prefix) - ) - source: str | None = None # System will set this to the plugin name - restriction_sql: str | None = ( - None # Optional SQL that returns (parent, child) for restriction filtering - ) - - @classmethod - def allow(cls, reason: str, _allow: bool = True) -> "PermissionSQL": - global _reason_id - i = _reason_id - _reason_id += 1 - return cls( - sql=f"SELECT NULL AS parent, NULL AS child, {1 if _allow else 0} AS allow, :reason_{i} AS reason", - params={f"reason_{i}": reason}, - ) - - @classmethod - def deny(cls, reason: str) -> "PermissionSQL": - return cls.allow(reason=reason, _allow=False) - - -# This is obsolete, replaced by Action and ResourceType @dataclass class Permission: name: str - abbr: str | None - description: str | None + abbr: Optional[str] + description: Optional[str] takes_database: bool takes_resource: bool default: bool diff --git a/datasette/plugins.py b/datasette/plugins.py index e9818885..3769a209 100644 --- a/datasette/plugins.py +++ b/datasette/plugins.py @@ -23,7 +23,6 @@ DEFAULT_PLUGINS = ( "datasette.sql_functions", "datasette.actor_auth_cookie", "datasette.default_permissions", - "datasette.default_actions", "datasette.default_magic_parameters", "datasette.blob_renderer", "datasette.default_menu_links", @@ -50,7 +49,7 @@ def after(outcome, hook_name, hook_impls, kwargs): results = outcome.get_result() if not isinstance(results, list): results = [results] - print("Results:", file=sys.stderr) + print(f"Results:", file=sys.stderr) pprint(results, width=40, indent=4, stream=sys.stderr) @@ -94,24 +93,21 @@ def get_plugins(): for plugin in pm.get_plugins(): static_path = None templates_path = None - plugin_name = ( - plugin.__name__ - if hasattr(plugin, "__name__") - else plugin.__class__.__name__ - ) - if plugin_name not in DEFAULT_PLUGINS: + if plugin.__name__ not in DEFAULT_PLUGINS: try: - if (importlib_resources.files(plugin_name) / "static").is_dir(): - static_path = str(importlib_resources.files(plugin_name) / "static") - if (importlib_resources.files(plugin_name) / "templates").is_dir(): + if (importlib_resources.files(plugin.__name__) / "static").is_dir(): + static_path = str( + importlib_resources.files(plugin.__name__) / "static" + ) + if (importlib_resources.files(plugin.__name__) / "templates").is_dir(): templates_path = str( - importlib_resources.files(plugin_name) / "templates" + importlib_resources.files(plugin.__name__) / "templates" ) except (TypeError, ModuleNotFoundError): # Caused by --plugins_dir= plugins pass plugin_info = { - "name": plugin_name, + "name": plugin.__name__, "static_path": static_path, "templates_path": templates_path, "hooks": [h.name for h in pm.get_hookcallers(plugin)], diff --git a/datasette/publish/cloudrun.py b/datasette/publish/cloudrun.py index 63d22fe8..760ff0d1 100644 --- a/datasette/publish/cloudrun.py +++ b/datasette/publish/cloudrun.py @@ -3,7 +3,7 @@ import click import json import os import re -from subprocess import CalledProcessError, check_call, check_output +from subprocess import check_call, check_output from .common import ( add_common_publish_arguments_and_options, @@ -23,9 +23,7 @@ def publish_subcommand(publish): help="Application name to use when building", ) @click.option( - "--service", - default="", - help="Cloud Run service to deploy (or over-write)", + "--service", default="", help="Cloud Run service to deploy (or over-write)" ) @click.option("--spatialite", is_flag=True, help="Enable SpatialLite extension") @click.option( @@ -57,32 +55,13 @@ def publish_subcommand(publish): @click.option( "--max-instances", type=int, - default=1, - show_default=True, - help="Maximum Cloud Run instances (use 0 to remove the limit)", + help="Maximum Cloud Run instances", ) @click.option( "--min-instances", type=int, help="Minimum Cloud Run instances", ) - @click.option( - "--artifact-repository", - default="datasette", - show_default=True, - help="Artifact Registry repository to store the image", - ) - @click.option( - "--artifact-region", - default="us", - show_default=True, - help="Artifact Registry location (region or multi-region)", - ) - @click.option( - "--artifact-project", - default=None, - help="Project ID for Artifact Registry (defaults to the active project)", - ) def cloudrun( files, metadata, @@ -112,9 +91,6 @@ def publish_subcommand(publish): apt_get_extras, max_instances, min_instances, - artifact_repository, - artifact_region, - artifact_project, ): "Publish databases to Datasette running on Cloud Run" fail_if_publish_binary_not_installed( @@ -124,21 +100,6 @@ def publish_subcommand(publish): "gcloud config get-value project", shell=True, universal_newlines=True ).strip() - artifact_project = artifact_project or project - - # Ensure Artifact Registry exists for the target image - _ensure_artifact_registry( - artifact_project=artifact_project, - artifact_region=artifact_region, - artifact_repository=artifact_repository, - ) - - artifact_host = ( - artifact_region - if artifact_region.endswith("-docker.pkg.dev") - else f"{artifact_region}-docker.pkg.dev" - ) - if not service: # Show the user their current services, then prompt for one click.echo("Please provide a service name for this deployment\n") @@ -156,11 +117,6 @@ def publish_subcommand(publish): click.echo("") service = click.prompt("Service name", type=str) - image_id = ( - f"{artifact_host}/{artifact_project}/" - f"{artifact_repository}/datasette-{service}" - ) - extra_metadata = { "title": title, "license": license, @@ -217,6 +173,7 @@ def publish_subcommand(publish): print(fp.read()) print("\n====================\n") + image_id = f"gcr.io/{project}/datasette-{service}" check_call( "gcloud builds submit --tag {}{}".format( image_id, " --timeout {}".format(timeout) if timeout else "" @@ -230,7 +187,7 @@ def publish_subcommand(publish): ("--max-instances", max_instances), ("--min-instances", min_instances), ): - if value is not None: + if value: extra_deploy_options.append("{} {}".format(option, value)) check_call( "gcloud run deploy --allow-unauthenticated --platform=managed --image {} {}{}".format( @@ -242,52 +199,6 @@ def publish_subcommand(publish): ) -def _ensure_artifact_registry(artifact_project, artifact_region, artifact_repository): - """Ensure Artifact Registry API is enabled and the repository exists.""" - - enable_cmd = ( - "gcloud services enable artifactregistry.googleapis.com " - f"--project {artifact_project} --quiet" - ) - try: - check_call(enable_cmd, shell=True) - except CalledProcessError as exc: - raise click.ClickException( - "Failed to enable artifactregistry.googleapis.com. " - "Please ensure you have permissions to manage services." - ) from exc - - describe_cmd = ( - "gcloud artifacts repositories describe {repo} --project {project} " - "--location {location} --quiet" - ).format( - repo=artifact_repository, - project=artifact_project, - location=artifact_region, - ) - try: - check_call(describe_cmd, shell=True) - return - except CalledProcessError: - create_cmd = ( - "gcloud artifacts repositories create {repo} --repository-format=docker " - '--location {location} --project {project} --description "Datasette Cloud Run images" --quiet' - ).format( - repo=artifact_repository, - location=artifact_region, - project=artifact_project, - ) - try: - check_call(create_cmd, shell=True) - click.echo(f"Created Artifact Registry repository '{artifact_repository}'") - except CalledProcessError as exc: - raise click.ClickException( - "Failed to create Artifact Registry repository. " - "Use --artifact-repository/--artifact-region to point to an existing repo " - "or create one manually." - ) from exc - - def get_existing_services(): services = json.loads( check_output( @@ -303,7 +214,6 @@ def get_existing_services(): "url": service["status"]["address"]["url"], } for service in services - if "url" in service["status"] ] diff --git a/datasette/renderer.py b/datasette/renderer.py index acf23e59..483c81e9 100644 --- a/datasette/renderer.py +++ b/datasette/renderer.py @@ -20,7 +20,7 @@ def convert_specific_columns_to_json(rows, columns, json_cols): if column in json_cols: try: value = json.loads(value) - except (TypeError, ValueError): + except (TypeError, ValueError) as e: pass new_row.append(value) new_rows.append(new_row) diff --git a/datasette/resources.py b/datasette/resources.py deleted file mode 100644 index 641afb2f..00000000 --- a/datasette/resources.py +++ /dev/null @@ -1,90 +0,0 @@ -"""Core resource types for Datasette's permission system.""" - -from datasette.permissions import Resource - - -class DatabaseResource(Resource): - """A database in Datasette.""" - - name = "database" - parent_class = None # Top of the resource hierarchy - - def __init__(self, database: str): - super().__init__(parent=database, child=None) - - @classmethod - async def resources_sql(cls, datasette) -> str: - return """ - SELECT database_name AS parent, NULL AS child - FROM catalog_databases - """ - - -class TableResource(Resource): - """A table in a database.""" - - name = "table" - parent_class = DatabaseResource - - def __init__(self, database: str, table: str): - super().__init__(parent=database, child=table) - - @classmethod - async def resources_sql(cls, datasette) -> str: - return """ - SELECT database_name AS parent, table_name AS child - FROM catalog_tables - UNION ALL - SELECT database_name AS parent, view_name AS child - FROM catalog_views - """ - - -class QueryResource(Resource): - """A canned query in a database.""" - - name = "query" - parent_class = DatabaseResource - - def __init__(self, database: str, query: str): - super().__init__(parent=database, child=query) - - @classmethod - async def resources_sql(cls, datasette) -> str: - from datasette.plugins import pm - from datasette.utils import await_me_maybe - - # Get all databases from catalog - db = datasette.get_internal_database() - result = await db.execute("SELECT database_name FROM catalog_databases") - databases = [row[0] for row in result.rows] - - # Gather all canned queries from all databases - query_pairs = [] - for database_name in databases: - # Call the hook to get queries (including from config via default plugin) - for queries_result in pm.hook.canned_queries( - datasette=datasette, - database=database_name, - actor=None, # Get ALL queries for resource enumeration - ): - queries = await await_me_maybe(queries_result) - if queries: - for query_name in queries.keys(): - query_pairs.append((database_name, query_name)) - - # Build SQL - if not query_pairs: - return "SELECT NULL AS parent, NULL AS child WHERE 0" - - # Generate UNION ALL query - selects = [] - for db_name, query_name in query_pairs: - # Escape single quotes by doubling them - db_escaped = db_name.replace("'", "''") - query_escaped = query_name.replace("'", "''") - selects.append( - f"SELECT '{db_escaped}' AS parent, '{query_escaped}' AS child" - ) - - return " UNION ALL ".join(selects) diff --git a/datasette/static/datasette-manager.js b/datasette/static/datasette-manager.js index d2347ab3..10716cc5 100644 --- a/datasette/static/datasette-manager.js +++ b/datasette/static/datasette-manager.js @@ -93,12 +93,12 @@ const datasetteManager = { */ renderAboveTablePanel: () => { const aboveTablePanel = document.querySelector( - DOM_SELECTORS.aboveTablePanel, + DOM_SELECTORS.aboveTablePanel ); if (!aboveTablePanel) { console.warn( - "This page does not have a table, the renderAboveTablePanel cannot be used.", + "This page does not have a table, the renderAboveTablePanel cannot be used." ); return; } diff --git a/datasette/static/json-format-highlight-1.0.1.js b/datasette/static/json-format-highlight-1.0.1.js index 0e6e2c29..d83b8186 100644 --- a/datasette/static/json-format-highlight-1.0.1.js +++ b/datasette/static/json-format-highlight-1.0.1.js @@ -7,8 +7,8 @@ MIT Licensed typeof exports === "object" && typeof module !== "undefined" ? (module.exports = factory()) : typeof define === "function" && define.amd - ? define(factory) - : (global.jsonFormatHighlight = factory()); + ? define(factory) + : (global.jsonFormatHighlight = factory()); })(this, function () { "use strict"; @@ -42,13 +42,13 @@ MIT Licensed color = /true/.test(match) ? colors.trueColor : /false/.test(match) - ? colors.falseColor - : /null/.test(match) - ? colors.nullColor - : color; + ? colors.falseColor + : /null/.test(match) + ? colors.nullColor + : color; } return '' + match + ""; - }, + } ); } diff --git a/datasette/static/navigation-search.js b/datasette/static/navigation-search.js deleted file mode 100644 index 48de5c4f..00000000 --- a/datasette/static/navigation-search.js +++ /dev/null @@ -1,416 +0,0 @@ -class NavigationSearch extends HTMLElement { - constructor() { - super(); - this.attachShadow({ mode: "open" }); - this.selectedIndex = -1; - this.matches = []; - this.debounceTimer = null; - - this.render(); - this.setupEventListeners(); - } - - render() { - this.shadowRoot.innerHTML = ` - - - -
-
- -
-
-
- Navigate - Enter Select - Esc Close -
-
- - `; - } - - setupEventListeners() { - const dialog = this.shadowRoot.querySelector("dialog"); - const input = this.shadowRoot.querySelector(".search-input"); - const resultsContainer = - this.shadowRoot.querySelector(".results-container"); - - // Global keyboard listener for "/" - document.addEventListener("keydown", (e) => { - if (e.key === "/" && !this.isInputFocused() && !dialog.open) { - e.preventDefault(); - this.openMenu(); - } - }); - - // Input event - input.addEventListener("input", (e) => { - this.handleSearch(e.target.value); - }); - - // Keyboard navigation - input.addEventListener("keydown", (e) => { - if (e.key === "ArrowDown") { - e.preventDefault(); - this.moveSelection(1); - } else if (e.key === "ArrowUp") { - e.preventDefault(); - this.moveSelection(-1); - } else if (e.key === "Enter") { - e.preventDefault(); - this.selectCurrentItem(); - } else if (e.key === "Escape") { - this.closeMenu(); - } - }); - - // Click on result item - resultsContainer.addEventListener("click", (e) => { - const item = e.target.closest(".result-item"); - if (item) { - const index = parseInt(item.dataset.index); - this.selectItem(index); - } - }); - - // Close on backdrop click - dialog.addEventListener("click", (e) => { - if (e.target === dialog) { - this.closeMenu(); - } - }); - - // Initial load - this.loadInitialData(); - } - - isInputFocused() { - const activeElement = document.activeElement; - return ( - activeElement && - (activeElement.tagName === "INPUT" || - activeElement.tagName === "TEXTAREA" || - activeElement.isContentEditable) - ); - } - - loadInitialData() { - const itemsAttr = this.getAttribute("items"); - if (itemsAttr) { - try { - this.allItems = JSON.parse(itemsAttr); - this.matches = this.allItems; - } catch (e) { - console.error("Failed to parse items attribute:", e); - this.allItems = []; - this.matches = []; - } - } - } - - handleSearch(query) { - clearTimeout(this.debounceTimer); - - this.debounceTimer = setTimeout(() => { - const url = this.getAttribute("url"); - - if (url) { - // Fetch from API - this.fetchResults(url, query); - } else { - // Filter local items - this.filterLocalItems(query); - } - }, 200); - } - - async fetchResults(url, query) { - try { - const searchUrl = `${url}?q=${encodeURIComponent(query)}`; - const response = await fetch(searchUrl); - const data = await response.json(); - this.matches = data.matches || []; - this.selectedIndex = this.matches.length > 0 ? 0 : -1; - this.renderResults(); - } catch (e) { - console.error("Failed to fetch search results:", e); - this.matches = []; - this.renderResults(); - } - } - - filterLocalItems(query) { - if (!query.trim()) { - this.matches = []; - } else { - const lowerQuery = query.toLowerCase(); - this.matches = (this.allItems || []).filter( - (item) => - item.name.toLowerCase().includes(lowerQuery) || - item.url.toLowerCase().includes(lowerQuery), - ); - } - this.selectedIndex = this.matches.length > 0 ? 0 : -1; - this.renderResults(); - } - - renderResults() { - const container = this.shadowRoot.querySelector(".results-container"); - const input = this.shadowRoot.querySelector(".search-input"); - - if (this.matches.length === 0) { - const message = input.value.trim() - ? "No results found" - : "Start typing to search..."; - container.innerHTML = `
${message}
`; - return; - } - - container.innerHTML = this.matches - .map( - (match, index) => ` -
-
-
${this.escapeHtml( - match.name, - )}
-
${this.escapeHtml(match.url)}
-
-
- `, - ) - .join(""); - - // Scroll selected item into view - if (this.selectedIndex >= 0) { - const selectedItem = container.children[this.selectedIndex]; - if (selectedItem) { - selectedItem.scrollIntoView({ block: "nearest" }); - } - } - } - - moveSelection(direction) { - const newIndex = this.selectedIndex + direction; - if (newIndex >= 0 && newIndex < this.matches.length) { - this.selectedIndex = newIndex; - this.renderResults(); - } - } - - selectCurrentItem() { - if (this.selectedIndex >= 0 && this.selectedIndex < this.matches.length) { - this.selectItem(this.selectedIndex); - } - } - - selectItem(index) { - const match = this.matches[index]; - if (match) { - // Dispatch custom event - this.dispatchEvent( - new CustomEvent("select", { - detail: match, - bubbles: true, - composed: true, - }), - ); - - // Navigate to URL - window.location.href = match.url; - - this.closeMenu(); - } - } - - openMenu() { - const dialog = this.shadowRoot.querySelector("dialog"); - const input = this.shadowRoot.querySelector(".search-input"); - - dialog.showModal(); - input.value = ""; - input.focus(); - - // Reset state - start with no items shown - this.matches = []; - this.selectedIndex = -1; - this.renderResults(); - } - - closeMenu() { - const dialog = this.shadowRoot.querySelector("dialog"); - dialog.close(); - } - - escapeHtml(text) { - const div = document.createElement("div"); - div.textContent = text; - return div.innerHTML; - } -} - -// Register the custom element -customElements.define("navigation-search", NavigationSearch); diff --git a/datasette/static/table.js b/datasette/static/table.js index 0caeeb91..909eebf3 100644 --- a/datasette/static/table.js +++ b/datasette/static/table.js @@ -132,7 +132,7 @@ const initDatasetteTable = function (manager) { /* Only show "Facet by this" if it's not the first column, not selected, not a single PK and the Datasette allow_facet setting is True */ var displayedFacets = Array.from( - document.querySelectorAll(".facet-info"), + document.querySelectorAll(".facet-info") ).map((el) => el.dataset.column); var isFirstColumn = th.parentElement.querySelector("th:first-of-type") == th; @@ -152,7 +152,7 @@ const initDatasetteTable = function (manager) { } /* Show notBlank option if not selected AND at least one visible blank value */ var tdsForThisColumn = Array.from( - th.closest("table").querySelectorAll("td." + th.className), + th.closest("table").querySelectorAll("td." + th.className) ); if ( params.get(`${column}__notblank`) != "1" && @@ -191,31 +191,29 @@ const initDatasetteTable = function (manager) { // Plugin hook: allow adding JS-based additional menu items const columnActionsPayload = { columnName: th.dataset.column, - columnNotNull: th.dataset.columnNotNull === "1", + columnNotNull: th.dataset.columnNotNull === '1', columnType: th.dataset.columnType, - isPk: th.dataset.isPk === "1", + isPk: th.dataset.isPk === '1' }; const columnItemConfigs = manager.makeColumnActions(columnActionsPayload); - const menuList = menu.querySelector("ul"); - columnItemConfigs.forEach((itemConfig) => { + const menuList = menu.querySelector('ul'); + columnItemConfigs.forEach(itemConfig => { // Remove items from previous render. We assume entries have unique labels. const existingItems = menuList.querySelectorAll(`li`); - Array.from(existingItems) - .filter((item) => item.innerText === itemConfig.label) - .forEach((node) => { - node.remove(); - }); + Array.from(existingItems).filter(item => item.innerText === itemConfig.label).forEach(node => { + node.remove(); + }); - const newLink = document.createElement("a"); + const newLink = document.createElement('a'); newLink.textContent = itemConfig.label; - newLink.href = itemConfig.href ?? "#"; + newLink.href = itemConfig.href ?? '#'; if (itemConfig.onClick) { newLink.onclick = itemConfig.onClick; } // Attach new elements to DOM - const menuItem = document.createElement("li"); + const menuItem = document.createElement('li'); menuItem.appendChild(newLink); menuList.appendChild(menuItem); }); @@ -227,17 +225,17 @@ const initDatasetteTable = function (manager) { menu.style.left = windowWidth - menuWidth - 20 + "px"; } // Align menu .hook arrow with the column cog icon - const hook = menu.querySelector(".hook"); - const icon = th.querySelector(".dropdown-menu-icon"); + const hook = menu.querySelector('.hook'); + const icon = th.querySelector('.dropdown-menu-icon'); const iconRect = icon.getBoundingClientRect(); - const hookLeft = iconRect.left - menuLeft + 1 + "px"; + const hookLeft = (iconRect.left - menuLeft + 1) + 'px'; hook.style.left = hookLeft; // Move the whole menu right if the hook is too far right const menuRect = menu.getBoundingClientRect(); if (iconRect.right > menuRect.right) { - menu.style.left = iconRect.right - menuWidth + "px"; + menu.style.left = (iconRect.right - menuWidth) + 'px'; // And move hook tip as well - hook.style.left = menuWidth - 13 + "px"; + hook.style.left = (menuWidth - 13) + 'px'; } } @@ -252,9 +250,7 @@ const initDatasetteTable = function (manager) { menu.style.display = "none"; document.body.appendChild(menu); - var ths = Array.from( - document.querySelectorAll(manager.selectors.tableHeaders), - ); + var ths = Array.from(document.querySelectorAll(manager.selectors.tableHeaders)); ths.forEach((th) => { if (!th.querySelector("a")) { return; @@ -268,9 +264,9 @@ const initDatasetteTable = function (manager) { /* Add x buttons to the filter rows */ function addButtonsToFilterRows(manager) { var x = "✖"; - var rows = Array.from( - document.querySelectorAll(manager.selectors.filterRow), - ).filter((el) => el.querySelector(".filter-op")); + var rows = Array.from(document.querySelectorAll(manager.selectors.filterRow)).filter((el) => + el.querySelector(".filter-op") + ); rows.forEach((row) => { var a = document.createElement("a"); a.setAttribute("href", "#"); @@ -291,18 +287,18 @@ function addButtonsToFilterRows(manager) { a.style.display = "none"; } }); -} +}; /* Set up datalist autocomplete for filter values */ function initAutocompleteForFilterValues(manager) { function createDataLists() { var facetResults = document.querySelectorAll( - manager.selectors.facetResults, + manager.selectors.facetResults ); Array.from(facetResults).forEach(function (facetResult) { // Use link text from all links in the facet result var links = Array.from( - facetResult.querySelectorAll("li:not(.facet-truncated) a"), + facetResult.querySelectorAll("li:not(.facet-truncated) a") ); // Create a datalist element var datalist = document.createElement("datalist"); @@ -328,7 +324,7 @@ function initAutocompleteForFilterValues(manager) { .setAttribute("list", "datalist-" + event.target.value); } }); -} +}; // Ensures Table UI is initialized only after the Manager is ready. document.addEventListener("datasette_init", function (evt) { diff --git a/datasette/templates/_debug_common_functions.html b/datasette/templates/_debug_common_functions.html deleted file mode 100644 index d988a2f3..00000000 --- a/datasette/templates/_debug_common_functions.html +++ /dev/null @@ -1,50 +0,0 @@ - diff --git a/datasette/templates/_permission_ui_styles.html b/datasette/templates/_permission_ui_styles.html deleted file mode 100644 index 53a824f1..00000000 --- a/datasette/templates/_permission_ui_styles.html +++ /dev/null @@ -1,145 +0,0 @@ - diff --git a/datasette/templates/_permissions_debug_tabs.html b/datasette/templates/_permissions_debug_tabs.html deleted file mode 100644 index d7203c1e..00000000 --- a/datasette/templates/_permissions_debug_tabs.html +++ /dev/null @@ -1,54 +0,0 @@ -{% if has_debug_permission %} -{% set query_string = '?' + request.query_string if request.query_string else '' %} - - - - -{% endif %} diff --git a/datasette/templates/allow_debug.html b/datasette/templates/allow_debug.html index 1ecc92df..610417d2 100644 --- a/datasette/templates/allow_debug.html +++ b/datasette/templates/allow_debug.html @@ -33,9 +33,6 @@ p.message-warning {

Debug allow rules

-{% set current_tab = "allow_debug" %} -{% include "_permissions_debug_tabs.html" %} -

Use this tool to try out different actor and allow combinations. See Defining permissions with "allow" blocks for documentation.

diff --git a/datasette/templates/base.html b/datasette/templates/base.html index 0d89e11c..0b2def5a 100644 --- a/datasette/templates/base.html +++ b/datasette/templates/base.html @@ -72,7 +72,5 @@ {% endfor %} {% if select_templates %}{% endif %} - - diff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html index ad7c71b6..409fb8a9 100644 --- a/datasette/templates/create_token.html +++ b/datasette/templates/create_token.html @@ -57,7 +57,7 @@ Restrict actions that can be performed using this token

All databases and tables

    - {% for permission in all_actions %} + {% for permission in all_permissions %}
    • {% endfor %}
@@ -65,7 +65,7 @@ {% for database in database_with_tables %}

All tables in "{{ database.name }}"

    - {% for permission in database_actions %} + {% for permission in database_permissions %}
    • {% endfor %}
@@ -75,7 +75,7 @@ {% for table in database.tables %}

{{ database.name }}: {{ table.name }}

    - {% for permission in child_actions %} + {% for permission in resource_permissions %}
    • {% endfor %}
diff --git a/datasette/templates/database.html b/datasette/templates/database.html index 42b4ca0b..66f288dc 100644 --- a/datasette/templates/database.html +++ b/datasette/templates/database.html @@ -56,7 +56,7 @@ {% endif %} {% if tables %} -

Tables schema

+

Tables

{% endif %} {% for table in tables %} diff --git a/datasette/templates/debug_actions.html b/datasette/templates/debug_actions.html deleted file mode 100644 index 0ef7b329..00000000 --- a/datasette/templates/debug_actions.html +++ /dev/null @@ -1,43 +0,0 @@ -{% extends "base.html" %} - -{% block title %}Registered Actions{% endblock %} - -{% block content %} -

Registered actions

- -{% set current_tab = "actions" %} -{% include "_permissions_debug_tabs.html" %} - -

- This Datasette instance has registered {{ data|length }} action{{ data|length != 1 and "s" or "" }}. - Actions are used by the permission system to control access to different features. -

- -
- - - - - - - - - - - - - {% for action in data %} - - - - - - - - - - {% endfor %} - -
NameAbbrDescriptionResourceTakes ParentTakes ChildAlso Requires
{{ action.name }}{% if action.abbr %}{{ action.abbr }}{% endif %}{{ action.description or "" }}{% if action.resource_class %}{{ action.resource_class }}{% endif %}{% if action.takes_parent %}✓{% endif %}{% if action.takes_child %}✓{% endif %}{% if action.also_requires %}{{ action.also_requires }}{% endif %}
- -{% endblock %} diff --git a/datasette/templates/debug_allowed.html b/datasette/templates/debug_allowed.html deleted file mode 100644 index add3154a..00000000 --- a/datasette/templates/debug_allowed.html +++ /dev/null @@ -1,229 +0,0 @@ -{% extends "base.html" %} - -{% block title %}Allowed Resources{% endblock %} - -{% block extra_head %} - -{% include "_permission_ui_styles.html" %} -{% include "_debug_common_functions.html" %} -{% endblock %} - -{% block content %} -

Allowed resources

- -{% set current_tab = "allowed" %} -{% include "_permissions_debug_tabs.html" %} - -

Use this tool to check which resources the current actor is allowed to access for a given permission action. It queries the /-/allowed.json API endpoint.

- -{% if request.actor %} -

Current actor: {{ request.actor.get("id", "anonymous") }}

-{% else %} -

Current actor: anonymous (not logged in)

-{% endif %} - -
- -
- - - Only certain actions are supported by this endpoint -
- -
- - - Filter results to a specific parent resource -
- -
- - - Filter results to a specific child resource (requires parent to be set) -
- -
- - - Number of results per page (max 200) -
- -
- -
- -
- - - - - -{% endblock %} diff --git a/datasette/templates/debug_check.html b/datasette/templates/debug_check.html deleted file mode 100644 index c2e7997f..00000000 --- a/datasette/templates/debug_check.html +++ /dev/null @@ -1,270 +0,0 @@ -{% extends "base.html" %} - -{% block title %}Permission Check{% endblock %} - -{% block extra_head %} - -{% include "_permission_ui_styles.html" %} -{% include "_debug_common_functions.html" %} - -{% endblock %} - -{% block content %} -

Permission check

- -{% set current_tab = "check" %} -{% include "_permissions_debug_tabs.html" %} - -

Use this tool to test permission checks for the current actor. It queries the /-/check.json API endpoint.

- -{% if request.actor %} -

Current actor: {{ request.actor.get("id", "anonymous") }}

-{% else %} -

Current actor: anonymous (not logged in)

-{% endif %} - -
-
-
- - - The permission action to check -
- -
- - - For database-level permissions, specify the database name -
- -
- - - For table-level permissions, specify the table name (requires parent) -
- -
- -
-
-
- - - - - -{% endblock %} diff --git a/datasette/templates/debug_permissions_playground.html b/datasette/templates/debug_permissions_playground.html deleted file mode 100644 index 91ce1fcf..00000000 --- a/datasette/templates/debug_permissions_playground.html +++ /dev/null @@ -1,166 +0,0 @@ -{% extends "base.html" %} - -{% block title %}Debug permissions{% endblock %} - -{% block extra_head %} -{% include "_permission_ui_styles.html" %} - -{% endblock %} - -{% block content %} -

Permission playground

- -{% set current_tab = "permissions" %} -{% include "_permissions_debug_tabs.html" %} - -

This tool lets you simulate an actor and a permission check for that actor.

- -
-
- -
-
- - -
-
-
-
- - -
-
- - -
-
- - -
-
-
- -
- 

-    

-

-
-
-
-
Recent permissions checks

-
-

-    {% if filter != "all" %}All{% else %}All{% endif %},
-    {% if filter != "exclude-yours" %}Exclude yours{% else %}Exclude yours{% endif %},
-    {% if filter != "only-yours" %}Only yours{% else %}Only yours{% endif %}
-

-
-{% if permission_checks %}
-
-    
-        
-            
-            
-            
-            
-            
-            
-        
-    
-    
-        {% for check in permission_checks %}
-            
-                
-                
-                
-                
-                
-                
-            
-        {% endfor %}
-        
-
WhenActionParentChildActorResult
{{ check.when.split('T', 1)[0] }}
{{ check.when.split('T', 1)[1].split('+', 1)[0].split('-', 1)[0].split('Z', 1)[0] }}		{{ check.action }}{{ check.parent or '—' }}{{ check.child or '—' }}{% if check.actor %}{{ check.actor|tojson }}{% else %}anonymous{% endif %}{% if check.result %}Allowed{% elif check.result is none %}No opinion{% else %}Denied{% endif %}

-{% else %}
-
No permission checks have been recorded yet.

-{% endif %}
-
-{% endblock %}
diff --git a/datasette/templates/debug_rules.html b/datasette/templates/debug_rules.html
deleted file mode 100644
index 9a290803..00000000
--- a/datasette/templates/debug_rules.html
+++ /dev/null
@@ -1,203 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}Permission Rules{% endblock %}
-
-{% block extra_head %}
-
-{% include "_permission_ui_styles.html" %}
-{% include "_debug_common_functions.html" %}
-{% endblock %}
-
-{% block content %}
-
Permission rules

-
-{% set current_tab = "rules" %}
-{% include "_permissions_debug_tabs.html" %}
-
-
Use this tool to view the permission rules that allow the current actor to access resources for a given permission action. It queries the /-/rules.json API endpoint.

-
-{% if request.actor %}
-
Current actor: {{ request.actor.get("id", "anonymous") }}

-{% else %}
-
Current actor: anonymous (not logged in)

-{% endif %}
-
-

-    

-        

-            
-            
-            The permission action to check
-        

-
-        

-            
-            
-            Number of results per page (max 200)
-        

-
-        

-            
-        

-    

-

-
-
-
-
-
-{% endblock %}
diff --git a/datasette/templates/permissions_debug.html b/datasette/templates/permissions_debug.html
new file mode 100644
index 00000000..558d16f2
--- /dev/null
+++ b/datasette/templates/permissions_debug.html
@@ -0,0 +1,149 @@
+{% extends "base.html" %}
+
+{% block title %}Debug permissions{% endblock %}
+
+{% block extra_head %}
+
+{% endblock %}
+
+{% block content %}
+
+
Permission check testing tool

+
+
This tool lets you simulate an actor and a permission check for that actor.

+
+

+    
+    

+        

+        
+    

+    

+        

+        
+        

+        

+    

+    

+        
+    

+    

+

+
+
+
+
Recent permissions checks

+
+

+    {% if filter != "all" %}All{% else %}All{% endif %},
+    {% if filter != "exclude-yours" %}Exclude yours{% else %}Exclude yours{% endif %},
+    {% if filter != "only-yours" %}Only yours{% else %}Only yours{% endif %}
+

+
+{% for check in permission_checks %}
+    

+        

+            {{ check.action }}
+            checked at
+            {{ check.when }}
+            {% if check.result %}
+                
+            {% elif check.result is none %}
+                none
+            {% else %}
+                
+            {% endif %}
+            {% if check.used_default %}
+                (used default)
+            {% endif %}
+        

+        
Actor: {{ check.actor|tojson }}

+        {% if check.resource %}
+            
Resource: {{ check.resource }}

+        {% endif %}
+    

+{% endfor %}
+
+
All registered permissions

+
+
{{ permissions|tojson(2) }}

+
+{% endblock %}
diff --git a/datasette/templates/schema.html b/datasette/templates/schema.html
deleted file mode 100644
index 2fd8637e..00000000
--- a/datasette/templates/schema.html
+++ /dev/null
@@ -1,41 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}{% if is_instance %}Schema for all databases{% elif table_name %}Schema for {{ schemas[0].database }}.{{ table_name }}{% else %}Schema for {{ schemas[0].database }}{% endif %}{% endblock %}
-
-{% block body_class %}schema{% endblock %}
-
-{% block crumbs %}
-{% if is_instance %}
-{{ crumbs.nav(request=request) }}
-{% elif table_name %}
-{{ crumbs.nav(request=request, database=schemas[0].database, table=table_name) }}
-{% else %}
-{{ crumbs.nav(request=request, database=schemas[0].database) }}
-{% endif %}
-{% endblock %}
-
-{% block content %}
-

-    
{% if is_instance %}Schema for all databases{% elif table_name %}Schema for {{ table_name }}{% else %}Schema for {{ schemas[0].database }}{% endif %}

-

-
-{% for item in schemas %}
-    {% if is_instance %}
-        
{{ item.database }}

-    {% endif %}
-
-    {% if item.schema %}
-        
{{ item.schema }}

-    {% else %}
-        
No schema available for this database.

-    {% endif %}
-
-    {% if not loop.last %}
-        

-    {% endif %}
-{% endfor %}
-
-{% if not schemas %}
-    
No databases with viewable schemas found.

-{% endif %}
-{% endblock %}
diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index ac2c74da..38a16b79 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -4,7 +4,6 @@ import aiofiles
 import click
 from collections import OrderedDict, namedtuple, Counter
 import copy
-import dataclasses
 import base64
 import hashlib
 import inspect
@@ -28,58 +27,6 @@ from .sqlite import sqlite3, supports_table_xinfo
 
 if typing.TYPE_CHECKING:
     from datasette.database import Database
-    from datasette.permissions import Resource
-
-
-@dataclasses.dataclass
-class PaginatedResources:
-    """Paginated results from allowed_resources query."""
-
-    resources: List["Resource"]
-    next: str | None  # Keyset token for next page (None if no more results)
-    _datasette: typing.Any = dataclasses.field(default=None, repr=False)
-    _action: str = dataclasses.field(default=None, repr=False)
-    _actor: typing.Any = dataclasses.field(default=None, repr=False)
-    _parent: str | None = dataclasses.field(default=None, repr=False)
-    _include_is_private: bool = dataclasses.field(default=False, repr=False)
-    _include_reasons: bool = dataclasses.field(default=False, repr=False)
-    _limit: int = dataclasses.field(default=100, repr=False)
-
-    async def all(self):
-        """
-        Async generator that yields all resources across all pages.
-
-        Automatically handles pagination under the hood. This is useful when you need
-        to iterate through all results without manually managing pagination tokens.
-
-        Yields:
-            Resource objects one at a time
-
-        Example:
-            page = await datasette.allowed_resources("view-table", actor)
-            async for table in page.all():
-                print(f"{table.parent}/{table.child}")
-        """
-        # Yield all resources from current page
-        for resource in self.resources:
-            yield resource
-
-        # Continue fetching subsequent pages if there are more
-        next_token = self.next
-        while next_token:
-            page = await self._datasette.allowed_resources(
-                self._action,
-                self._actor,
-                parent=self._parent,
-                include_is_private=self._include_is_private,
-                include_reasons=self._include_reasons,
-                limit=self._limit,
-                next=next_token,
-            )
-            for resource in page.resources:
-                yield resource
-            next_token = page.next
-
 
 # From https://www.sqlite.org/lang_keywords.html
 reserved_words = set(
diff --git a/datasette/utils/actions_sql.py b/datasette/utils/actions_sql.py
deleted file mode 100644
index 9c2add0e..00000000
--- a/datasette/utils/actions_sql.py
+++ /dev/null
@@ -1,587 +0,0 @@
-"""
-SQL query builder for hierarchical permission checking.
-
-This module implements a cascading permission system based on the pattern
-from https://github.com/simonw/research/tree/main/sqlite-permissions-poc
-
-It builds SQL queries that:
-
-1. Start with all resources of a given type (from resource_type.resources_sql())
-2. Gather permission rules from plugins (via permission_resources_sql hook)
-3. Apply cascading logic: child → parent → global
-4. Apply DENY-beats-ALLOW at each level
-
-The core pattern is:
-- Resources are identified by (parent, child) tuples
-- Rules are evaluated at three levels:
-  - child: exact match on (parent, child)
-  - parent: match on (parent, NULL)
-  - global: match on (NULL, NULL)
-- At the same level, DENY (allow=0) beats ALLOW (allow=1)
-- Across levels, child beats parent beats global
-"""
-
-from typing import TYPE_CHECKING
-
-from datasette.utils.permissions import gather_permission_sql_from_hooks
-
-if TYPE_CHECKING:
-    from datasette.app import Datasette
-
-
-async def build_allowed_resources_sql(
-    datasette: "Datasette",
-    actor: dict | None,
-    action: str,
-    *,
-    parent: str | None = None,
-    include_is_private: bool = False,
-) -> tuple[str, dict]:
-    """
-    Build a SQL query that returns all resources the actor can access for this action.
-
-    Args:
-        datasette: The Datasette instance
-        actor: The actor dict (or None for unauthenticated)
-        action: The action name (e.g., "view-table", "view-database")
-        parent: Optional parent filter to limit results (e.g., database name)
-        include_is_private: If True, add is_private column showing if anonymous cannot access
-
-    Returns:
-        A tuple of (sql_query, params_dict)
-
-    The returned SQL query will have three columns (or four with include_is_private):
-        - parent: The parent resource identifier (or NULL)
-        - child: The child resource identifier (or NULL)
-        - reason: The reason from the rule that granted access
-        - is_private: (if include_is_private) 1 if anonymous cannot access, 0 otherwise
-
-    Example:
-        For action="view-table", this might return:
-        SELECT parent, child, reason FROM ... WHERE is_allowed = 1
-
-        Results would be like:
-        ('analytics', 'users', 'role-based: analysts can access analytics DB')
-        ('analytics', 'events', 'role-based: analysts can access analytics DB')
-        ('production', 'orders', 'business-exception: allow production.orders for carol')
-    """
-    # Get the Action object
-    action_obj = datasette.actions.get(action)
-    if not action_obj:
-        raise ValueError(f"Unknown action: {action}")
-
-    # If this action also_requires another action, we need to combine the queries
-    if action_obj.also_requires:
-        # Build both queries
-        main_sql, main_params = await _build_single_action_sql(
-            datasette,
-            actor,
-            action,
-            parent=parent,
-            include_is_private=include_is_private,
-        )
-        required_sql, required_params = await _build_single_action_sql(
-            datasette,
-            actor,
-            action_obj.also_requires,
-            parent=parent,
-            include_is_private=False,
-        )
-
-        # Merge parameters - they should have identical values for :actor, :actor_id, etc.
-        all_params = {**main_params, **required_params}
-        if parent is not None:
-            all_params["filter_parent"] = parent
-
-        # Combine with INNER JOIN - only resources allowed by both actions
-        combined_sql = f"""
-WITH
-main_allowed AS (
-{main_sql}
-),
-required_allowed AS (
-{required_sql}
-)
-SELECT m.parent, m.child, m.reason"""
-
-        if include_is_private:
-            combined_sql += ", m.is_private"
-
-        combined_sql += """
-FROM main_allowed m
-INNER JOIN required_allowed r
-  ON ((m.parent = r.parent) OR (m.parent IS NULL AND r.parent IS NULL))
- AND ((m.child = r.child) OR (m.child IS NULL AND r.child IS NULL))
-"""
-
-        if parent is not None:
-            combined_sql += "WHERE m.parent = :filter_parent\n"
-
-        combined_sql += "ORDER BY m.parent, m.child"
-
-        return combined_sql, all_params
-
-    # No also_requires, build single action query
-    return await _build_single_action_sql(
-        datasette, actor, action, parent=parent, include_is_private=include_is_private
-    )
-
-
-async def _build_single_action_sql(
-    datasette: "Datasette",
-    actor: dict | None,
-    action: str,
-    *,
-    parent: str | None = None,
-    include_is_private: bool = False,
-) -> tuple[str, dict]:
-    """
-    Build SQL for a single action (internal helper for build_allowed_resources_sql).
-
-    This contains the original logic from build_allowed_resources_sql, extracted
-    to allow combining multiple actions when also_requires is used.
-    """
-    # Get the Action object
-    action_obj = datasette.actions.get(action)
-    if not action_obj:
-        raise ValueError(f"Unknown action: {action}")
-
-    # Get base resources SQL from the resource class
-    base_resources_sql = await action_obj.resource_class.resources_sql(datasette)
-
-    permission_sqls = await gather_permission_sql_from_hooks(
-        datasette=datasette,
-        actor=actor,
-        action=action,
-    )
-
-    # If permission_sqls is the sentinel, skip all permission checks
-    # Return SQL that allows all resources
-    from datasette.utils.permissions import SKIP_PERMISSION_CHECKS
-
-    if permission_sqls is SKIP_PERMISSION_CHECKS:
-        cols = "parent, child, 'skip_permission_checks' AS reason"
-        if include_is_private:
-            cols += ", 0 AS is_private"
-        return f"SELECT {cols} FROM ({base_resources_sql})", {}
-
-    all_params = {}
-    rule_sqls = []
-    restriction_sqls = []
-
-    for permission_sql in permission_sqls:
-        # Always collect params (even from restriction-only plugins)
-        all_params.update(permission_sql.params or {})
-
-        # Collect restriction SQL filters
-        if permission_sql.restriction_sql:
-            restriction_sqls.append(permission_sql.restriction_sql)
-
-        # Skip plugins that only provide restriction_sql (no permission rules)
-        if permission_sql.sql is None:
-            continue
-        rule_sqls.append(
-            f"""
-            SELECT parent, child, allow, reason, '{permission_sql.source}' AS source_plugin FROM (
-                {permission_sql.sql}
-            )
-            """.strip()
-        )
-
-    # If no rules, return empty result (deny all)
-    if not rule_sqls:
-        empty_cols = "NULL AS parent, NULL AS child, NULL AS reason"
-        if include_is_private:
-            empty_cols += ", NULL AS is_private"
-        return f"SELECT {empty_cols} WHERE 0", {}
-
-    # Build the cascading permission query
-    rules_union = " UNION ALL ".join(rule_sqls)
-
-    # Build the main query
-    query_parts = [
-        "WITH",
-        "base AS (",
-        f"  {base_resources_sql}",
-        "),",
-        "all_rules AS (",
-        f"  {rules_union}",
-        "),",
-    ]
-
-    # If include_is_private, we need to build anonymous permissions too
-    if include_is_private:
-        anon_permission_sqls = await gather_permission_sql_from_hooks(
-            datasette=datasette,
-            actor=None,
-            action=action,
-        )
-        anon_sqls_rewritten = []
-        anon_params = {}
-
-        for permission_sql in anon_permission_sqls:
-            # Skip plugins that only provide restriction_sql (no permission rules)
-            if permission_sql.sql is None:
-                continue
-            rewritten_sql = permission_sql.sql
-            for key, value in (permission_sql.params or {}).items():
-                anon_key = f"anon_{key}"
-                anon_params[anon_key] = value
-                rewritten_sql = rewritten_sql.replace(f":{key}", f":{anon_key}")
-            anon_sqls_rewritten.append(rewritten_sql)
-
-        all_params.update(anon_params)
-
-        if anon_sqls_rewritten:
-            anon_rules_union = " UNION ALL ".join(anon_sqls_rewritten)
-            query_parts.extend(
-                [
-                    "anon_rules AS (",
-                    f"  {anon_rules_union}",
-                    "),",
-                ]
-            )
-
-    # Continue with the cascading logic
-    query_parts.extend(
-        [
-            "child_lvl AS (",
-            "  SELECT b.parent, b.child,",
-            "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-            "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow,",
-            "         json_group_array(CASE WHEN ar.allow = 0 THEN ar.source_plugin || ': ' || ar.reason END) AS deny_reasons,",
-            "         json_group_array(CASE WHEN ar.allow = 1 THEN ar.source_plugin || ': ' || ar.reason END) AS allow_reasons",
-            "  FROM base b",
-            "  LEFT JOIN all_rules ar ON ar.parent = b.parent AND ar.child = b.child",
-            "  GROUP BY b.parent, b.child",
-            "),",
-            "parent_lvl AS (",
-            "  SELECT b.parent, b.child,",
-            "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-            "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow,",
-            "         json_group_array(CASE WHEN ar.allow = 0 THEN ar.source_plugin || ': ' || ar.reason END) AS deny_reasons,",
-            "         json_group_array(CASE WHEN ar.allow = 1 THEN ar.source_plugin || ': ' || ar.reason END) AS allow_reasons",
-            "  FROM base b",
-            "  LEFT JOIN all_rules ar ON ar.parent = b.parent AND ar.child IS NULL",
-            "  GROUP BY b.parent, b.child",
-            "),",
-            "global_lvl AS (",
-            "  SELECT b.parent, b.child,",
-            "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-            "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow,",
-            "         json_group_array(CASE WHEN ar.allow = 0 THEN ar.source_plugin || ': ' || ar.reason END) AS deny_reasons,",
-            "         json_group_array(CASE WHEN ar.allow = 1 THEN ar.source_plugin || ': ' || ar.reason END) AS allow_reasons",
-            "  FROM base b",
-            "  LEFT JOIN all_rules ar ON ar.parent IS NULL AND ar.child IS NULL",
-            "  GROUP BY b.parent, b.child",
-            "),",
-        ]
-    )
-
-    # Add anonymous decision logic if needed
-    if include_is_private:
-        query_parts.extend(
-            [
-                "anon_child_lvl AS (",
-                "  SELECT b.parent, b.child,",
-                "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-                "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow",
-                "  FROM base b",
-                "  LEFT JOIN anon_rules ar ON ar.parent = b.parent AND ar.child = b.child",
-                "  GROUP BY b.parent, b.child",
-                "),",
-                "anon_parent_lvl AS (",
-                "  SELECT b.parent, b.child,",
-                "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-                "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow",
-                "  FROM base b",
-                "  LEFT JOIN anon_rules ar ON ar.parent = b.parent AND ar.child IS NULL",
-                "  GROUP BY b.parent, b.child",
-                "),",
-                "anon_global_lvl AS (",
-                "  SELECT b.parent, b.child,",
-                "         MAX(CASE WHEN ar.allow = 0 THEN 1 ELSE 0 END) AS any_deny,",
-                "         MAX(CASE WHEN ar.allow = 1 THEN 1 ELSE 0 END) AS any_allow",
-                "  FROM base b",
-                "  LEFT JOIN anon_rules ar ON ar.parent IS NULL AND ar.child IS NULL",
-                "  GROUP BY b.parent, b.child",
-                "),",
-                "anon_decisions AS (",
-                "  SELECT",
-                "    b.parent, b.child,",
-                "    CASE",
-                "      WHEN acl.any_deny = 1 THEN 0",
-                "      WHEN acl.any_allow = 1 THEN 1",
-                "      WHEN apl.any_deny = 1 THEN 0",
-                "      WHEN apl.any_allow = 1 THEN 1",
-                "      WHEN agl.any_deny = 1 THEN 0",
-                "      WHEN agl.any_allow = 1 THEN 1",
-                "      ELSE 0",
-                "    END AS anon_is_allowed",
-                "  FROM base b",
-                "  JOIN anon_child_lvl acl ON b.parent = acl.parent AND (b.child = acl.child OR (b.child IS NULL AND acl.child IS NULL))",
-                "  JOIN anon_parent_lvl apl ON b.parent = apl.parent AND (b.child = apl.child OR (b.child IS NULL AND apl.child IS NULL))",
-                "  JOIN anon_global_lvl agl ON b.parent = agl.parent AND (b.child = agl.child OR (b.child IS NULL AND agl.child IS NULL))",
-                "),",
-            ]
-        )
-
-    # Final decisions
-    query_parts.extend(
-        [
-            "decisions AS (",
-            "  SELECT",
-            "    b.parent, b.child,",
-            "    -- Cascading permission logic: child → parent → global, DENY beats ALLOW at each level",
-            "    -- Priority order:",
-            "    --   1. Child-level deny (most specific, blocks access)",
-            "    --   2. Child-level allow (most specific, grants access)",
-            "    --   3. Parent-level deny (intermediate, blocks access)",
-            "    --   4. Parent-level allow (intermediate, grants access)",
-            "    --   5. Global-level deny (least specific, blocks access)",
-            "    --   6. Global-level allow (least specific, grants access)",
-            "    --   7. Default deny (no rules match)",
-            "    CASE",
-            "      WHEN cl.any_deny = 1 THEN 0",
-            "      WHEN cl.any_allow = 1 THEN 1",
-            "      WHEN pl.any_deny = 1 THEN 0",
-            "      WHEN pl.any_allow = 1 THEN 1",
-            "      WHEN gl.any_deny = 1 THEN 0",
-            "      WHEN gl.any_allow = 1 THEN 1",
-            "      ELSE 0",
-            "    END AS is_allowed,",
-            "    CASE",
-            "      WHEN cl.any_deny = 1 THEN cl.deny_reasons",
-            "      WHEN cl.any_allow = 1 THEN cl.allow_reasons",
-            "      WHEN pl.any_deny = 1 THEN pl.deny_reasons",
-            "      WHEN pl.any_allow = 1 THEN pl.allow_reasons",
-            "      WHEN gl.any_deny = 1 THEN gl.deny_reasons",
-            "      WHEN gl.any_allow = 1 THEN gl.allow_reasons",
-            "      ELSE '[]'",
-            "    END AS reason",
-        ]
-    )
-
-    if include_is_private:
-        query_parts.append(
-            "    , CASE WHEN ad.anon_is_allowed = 0 THEN 1 ELSE 0 END AS is_private"
-        )
-
-    query_parts.extend(
-        [
-            "  FROM base b",
-            "  JOIN child_lvl cl ON b.parent = cl.parent AND (b.child = cl.child OR (b.child IS NULL AND cl.child IS NULL))",
-            "  JOIN parent_lvl pl ON b.parent = pl.parent AND (b.child = pl.child OR (b.child IS NULL AND pl.child IS NULL))",
-            "  JOIN global_lvl gl ON b.parent = gl.parent AND (b.child = gl.child OR (b.child IS NULL AND gl.child IS NULL))",
-        ]
-    )
-
-    if include_is_private:
-        query_parts.append(
-            "  JOIN anon_decisions ad ON b.parent = ad.parent AND (b.child = ad.child OR (b.child IS NULL AND ad.child IS NULL))"
-        )
-
-    query_parts.append(")")
-
-    # Add restriction list CTE if there are restrictions
-    if restriction_sqls:
-        # Wrap each restriction_sql in a subquery to avoid operator precedence issues
-        # with UNION ALL inside the restriction SQL statements
-        restriction_intersect = "\nINTERSECT\n".join(
-            f"SELECT * FROM ({sql})" for sql in restriction_sqls
-        )
-        query_parts.extend(
-            [",", "restriction_list AS (", f"  {restriction_intersect}", ")"]
-        )
-
-    # Final SELECT
-    select_cols = "parent, child, reason"
-    if include_is_private:
-        select_cols += ", is_private"
-
-    query_parts.append(f"SELECT {select_cols}")
-    query_parts.append("FROM decisions")
-    query_parts.append("WHERE is_allowed = 1")
-
-    # Add restriction filter if there are restrictions
-    if restriction_sqls:
-        query_parts.append(
-            """
-  AND EXISTS (
-    SELECT 1 FROM restriction_list r
-    WHERE (r.parent = decisions.parent OR r.parent IS NULL)
-      AND (r.child = decisions.child OR r.child IS NULL)
-  )"""
-        )
-
-    # Add parent filter if specified
-    if parent is not None:
-        query_parts.append("  AND parent = :filter_parent")
-        all_params["filter_parent"] = parent
-
-    query_parts.append("ORDER BY parent, child")
-
-    query = "\n".join(query_parts)
-    return query, all_params
-
-
-async def build_permission_rules_sql(
-    datasette: "Datasette", actor: dict | None, action: str
-) -> tuple[str, dict]:
-    """
-    Build the UNION SQL and params for all permission rules for a given actor and action.
-
-    Returns:
-        A tuple of (sql, params) where sql is a UNION ALL query that returns
-        (parent, child, allow, reason, source_plugin) rows.
-    """
-    # Get the Action object
-    action_obj = datasette.actions.get(action)
-    if not action_obj:
-        raise ValueError(f"Unknown action: {action}")
-
-    permission_sqls = await gather_permission_sql_from_hooks(
-        datasette=datasette,
-        actor=actor,
-        action=action,
-    )
-
-    # If permission_sqls is the sentinel, skip all permission checks
-    # Return SQL that allows everything
-    from datasette.utils.permissions import SKIP_PERMISSION_CHECKS
-
-    if permission_sqls is SKIP_PERMISSION_CHECKS:
-        return (
-            "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'skip_permission_checks' AS reason, 'skip' AS source_plugin",
-            {},
-            [],
-        )
-
-    if not permission_sqls:
-        return (
-            "SELECT NULL AS parent, NULL AS child, 0 AS allow, NULL AS reason, NULL AS source_plugin WHERE 0",
-            {},
-            [],
-        )
-
-    union_parts = []
-    all_params = {}
-    restriction_sqls = []
-
-    for permission_sql in permission_sqls:
-        all_params.update(permission_sql.params or {})
-
-        # Collect restriction SQL filters
-        if permission_sql.restriction_sql:
-            restriction_sqls.append(permission_sql.restriction_sql)
-
-        # Skip plugins that only provide restriction_sql (no permission rules)
-        if permission_sql.sql is None:
-            continue
-
-        union_parts.append(
-            f"""
-            SELECT parent, child, allow, reason, '{permission_sql.source}' AS source_plugin FROM (
-                {permission_sql.sql}
-            )
-            """.strip()
-        )
-
-    rules_union = " UNION ALL ".join(union_parts)
-    return rules_union, all_params, restriction_sqls
-
-
-async def check_permission_for_resource(
-    *,
-    datasette: "Datasette",
-    actor: dict | None,
-    action: str,
-    parent: str | None,
-    child: str | None,
-) -> bool:
-    """
-    Check if an actor has permission for a specific action on a specific resource.
-
-    Args:
-        datasette: The Datasette instance
-        actor: The actor dict (or None)
-        action: The action name
-        parent: The parent resource identifier (e.g., database name, or None)
-        child: The child resource identifier (e.g., table name, or None)
-
-    Returns:
-        True if the actor is allowed, False otherwise
-
-    This builds the cascading permission query and checks if the specific
-    resource is in the allowed set.
-    """
-    rules_union, all_params, restriction_sqls = await build_permission_rules_sql(
-        datasette, actor, action
-    )
-
-    # If no rules (empty SQL), default deny
-    if not rules_union:
-        return False
-
-    # Add parameters for the resource we're checking
-    all_params["_check_parent"] = parent
-    all_params["_check_child"] = child
-
-    # If there are restriction filters, check if the resource passes them first
-    if restriction_sqls:
-        # Check if resource is in restriction allowlist
-        # Database-level restrictions (parent, NULL) should match all children (parent, *)
-        # Wrap each restriction_sql in a subquery to avoid operator precedence issues
-        restriction_check = "\nINTERSECT\n".join(
-            f"SELECT * FROM ({sql})" for sql in restriction_sqls
-        )
-        restriction_query = f"""
-WITH restriction_list AS (
-    {restriction_check}
-)
-SELECT EXISTS (
-    SELECT 1 FROM restriction_list
-    WHERE (parent = :_check_parent OR parent IS NULL)
-      AND (child = :_check_child OR child IS NULL)
-) AS in_allowlist
-"""
-        result = await datasette.get_internal_database().execute(
-            restriction_query, all_params
-        )
-        if result.rows and not result.rows[0][0]:
-            # Resource not in restriction allowlist - deny
-            return False
-
-    query = f"""
-WITH
-all_rules AS (
-  {rules_union}
-),
-matched_rules AS (
-  SELECT ar.*,
-    CASE
-      WHEN ar.child IS NOT NULL THEN 2  -- child-level (most specific)
-      WHEN ar.parent IS NOT NULL THEN 1  -- parent-level
-      ELSE 0                             -- root/global
-    END AS depth
-  FROM all_rules ar
-  WHERE (ar.parent IS NULL OR ar.parent = :_check_parent)
-    AND (ar.child IS NULL OR ar.child = :_check_child)
-),
-winner AS (
-  SELECT *
-  FROM matched_rules
-  ORDER BY
-    depth DESC,                          -- specificity first (higher depth wins)
-    CASE WHEN allow=0 THEN 0 ELSE 1 END, -- then deny over allow
-    source_plugin                        -- stable tie-break
-  LIMIT 1
-)
-SELECT COALESCE((SELECT allow FROM winner), 0) AS is_allowed
-"""
-
-    # Execute the query against the internal database
-    result = await datasette.get_internal_database().execute(query, all_params)
-    if result.rows:
-        return bool(result.rows[0][0])
-    return False
diff --git a/datasette/utils/asgi.py b/datasette/utils/asgi.py
index 7f3329a6..1699847e 100644
--- a/datasette/utils/asgi.py
+++ b/datasette/utils/asgi.py
@@ -1,3 +1,4 @@
+import hashlib
 import json
 from datasette.utils import MultiParams, calculate_etag
 from mimetypes import guess_type
@@ -6,7 +7,6 @@ from pathlib import Path
 from http.cookies import SimpleCookie, Morsel
 import aiofiles
 import aiofiles.os
-import re
 
 # Workaround for adding samesite support to pre 3.8 python
 Morsel._reserved["samesite"] = "SameSite"
@@ -249,9 +249,6 @@ async def asgi_send_html(send, html, status=200, headers=None):
 
 
 async def asgi_send_redirect(send, location, status=302):
-    # Prevent open redirect vulnerability: strip multiple leading slashes
-    # //example.com would be interpreted as a protocol-relative URL (e.g., https://example.com/)
-    location = re.sub(r"^/+", "/", location)
     await asgi_send(
         send,
         "",
diff --git a/datasette/utils/check_callable.py b/datasette/utils/check_callable.py
index a0997d20..5b8a30ac 100644
--- a/datasette/utils/check_callable.py
+++ b/datasette/utils/check_callable.py
@@ -1,4 +1,4 @@
-import inspect
+import asyncio
 import types
 from typing import NamedTuple, Any
 
@@ -17,9 +17,9 @@ def check_callable(obj: Any) -> CallableStatus:
         return CallableStatus(True, False)
 
     if isinstance(obj, types.FunctionType):
-        return CallableStatus(True, inspect.iscoroutinefunction(obj))
+        return CallableStatus(True, asyncio.iscoroutinefunction(obj))
 
     if hasattr(obj, "__call__"):
-        return CallableStatus(True, inspect.iscoroutinefunction(obj.__call__))
+        return CallableStatus(True, asyncio.iscoroutinefunction(obj.__call__))
 
     assert False, "obj {} is somehow callable with no __call__ method".format(repr(obj))
diff --git a/datasette/utils/permissions.py b/datasette/utils/permissions.py
deleted file mode 100644
index 6c30a12a..00000000
--- a/datasette/utils/permissions.py
+++ /dev/null
@@ -1,439 +0,0 @@
-# perm_utils.py
-from __future__ import annotations
-
-import json
-from typing import Any, Dict, Iterable, List, Sequence, Tuple
-import sqlite3
-
-from datasette.permissions import PermissionSQL
-from datasette.plugins import pm
-from datasette.utils import await_me_maybe
-
-
-# Sentinel object to indicate permission checks should be skipped
-SKIP_PERMISSION_CHECKS = object()
-
-
-async def gather_permission_sql_from_hooks(
-    *, datasette, actor: dict | None, action: str
-) -> List[PermissionSQL] | object:
-    """Collect PermissionSQL objects from the permission_resources_sql hook.
-
-    Ensures that each returned PermissionSQL has a populated ``source``.
-
-    Returns SKIP_PERMISSION_CHECKS sentinel if skip_permission_checks context variable
-    is set, signaling that all permission checks should be bypassed.
-    """
-    from datasette.permissions import _skip_permission_checks
-
-    # Check if we should skip permission checks BEFORE calling hooks
-    # This avoids creating unawaited coroutines
-    if _skip_permission_checks.get():
-        return SKIP_PERMISSION_CHECKS
-
-    hook_caller = pm.hook.permission_resources_sql
-    hookimpls = hook_caller.get_hookimpls()
-    hook_results = list(hook_caller(datasette=datasette, actor=actor, action=action))
-
-    collected: List[PermissionSQL] = []
-    actor_json = json.dumps(actor) if actor is not None else None
-    actor_id = actor.get("id") if isinstance(actor, dict) else None
-
-    for index, result in enumerate(hook_results):
-        hookimpl = hookimpls[index]
-        resolved = await await_me_maybe(result)
-        default_source = _plugin_name_from_hookimpl(hookimpl)
-        for permission_sql in _iter_permission_sql_from_result(resolved, action=action):
-            if not permission_sql.source:
-                permission_sql.source = default_source
-            params = permission_sql.params or {}
-            params.setdefault("action", action)
-            params.setdefault("actor", actor_json)
-            params.setdefault("actor_id", actor_id)
-            collected.append(permission_sql)
-
-    return collected
-
-
-def _plugin_name_from_hookimpl(hookimpl) -> str:
-    if getattr(hookimpl, "plugin_name", None):
-        return hookimpl.plugin_name
-    plugin = getattr(hookimpl, "plugin", None)
-    if hasattr(plugin, "__name__"):
-        return plugin.__name__
-    return repr(plugin)
-
-
-def _iter_permission_sql_from_result(
-    result: Any, *, action: str
-) -> Iterable[PermissionSQL]:
-    if result is None:
-        return []
-    if isinstance(result, PermissionSQL):
-        return [result]
-    if isinstance(result, (list, tuple)):
-        collected: List[PermissionSQL] = []
-        for item in result:
-            collected.extend(_iter_permission_sql_from_result(item, action=action))
-        return collected
-    if callable(result):
-        permission_sql = result(action)  # type: ignore[call-arg]
-        return _iter_permission_sql_from_result(permission_sql, action=action)
-    raise TypeError(
-        "Plugin providers must return PermissionSQL instances, sequences, or callables"
-    )
-
-
-# -----------------------------
-# Plugin interface & utilities
-# -----------------------------
-
-
-def build_rules_union(
-    actor: dict | None, plugins: Sequence[PermissionSQL]
-) -> Tuple[str, Dict[str, Any]]:
-    """
-    Compose plugin SQL into a UNION ALL.
-
-    Returns:
-      union_sql: a SELECT with columns (parent, child, allow, reason, source_plugin)
-      params:    dict of bound parameters including :actor (JSON), :actor_id, and plugin params
-
-    Note: Plugins are responsible for ensuring their parameter names don't conflict.
-    The system reserves these parameter names: :actor, :actor_id, :action, :filter_parent
-    Plugin parameters should be prefixed with a unique identifier (e.g., source name).
-    """
-    parts: List[str] = []
-    actor_json = json.dumps(actor) if actor else None
-    actor_id = actor.get("id") if actor else None
-    params: Dict[str, Any] = {"actor": actor_json, "actor_id": actor_id}
-
-    for p in plugins:
-        # No namespacing - just use plugin params as-is
-        params.update(p.params or {})
-
-        # Skip plugins that only provide restriction_sql (no permission rules)
-        if p.sql is None:
-            continue
-
-        parts.append(
-            f"""
-            SELECT parent, child, allow, reason, '{p.source}' AS source_plugin FROM (
-                {p.sql}
-            )
-            """.strip()
-        )
-
-    if not parts:
-        # Empty UNION that returns no rows
-        union_sql = "SELECT NULL parent, NULL child, NULL allow, NULL reason, 'none' source_plugin WHERE 0"
-    else:
-        union_sql = "\nUNION ALL\n".join(parts)
-
-    return union_sql, params
-
-
-# -----------------------------------------------
-# Core resolvers (no temp tables, no custom UDFs)
-# -----------------------------------------------
-
-
-async def resolve_permissions_from_catalog(
-    db,
-    actor: dict | None,
-    plugins: Sequence[Any],
-    action: str,
-    candidate_sql: str,
-    candidate_params: Dict[str, Any] | None = None,
-    *,
-    implicit_deny: bool = True,
-) -> List[Dict[str, Any]]:
-    """
-    Resolve permissions by embedding the provided *candidate_sql* in a CTE.
-
-    Expectations:
-      - candidate_sql SELECTs: parent TEXT, child TEXT
-        (Use child=NULL for parent-scoped actions like "execute-sql".)
-      - *db* exposes: rows = await db.execute(sql, params)
-        where rows is an iterable of sqlite3.Row
-      - plugins: hook results handled by await_me_maybe - can be sync/async,
-        single PermissionSQL, list, or callable returning PermissionSQL
-      - actor is the actor dict (or None), made available as :actor (JSON), :actor_id, and :action
-
-    Decision policy:
-      1) Specificity first: child (depth=2) > parent (depth=1) > root (depth=0)
-      2) Within the same depth: deny (0) beats allow (1)
-      3) If no matching rule:
-         - implicit_deny=True  -> treat as allow=0, reason='implicit deny'
-         - implicit_deny=False -> allow=None, reason=None
-
-    Returns: list of dict rows
-      - parent, child, allow, reason, source_plugin, depth
-      - resource (rendered "/parent/child" or "/parent" or "/")
-    """
-    resolved_plugins: List[PermissionSQL] = []
-    restriction_sqls: List[str] = []
-
-    for plugin in plugins:
-        if callable(plugin) and not isinstance(plugin, PermissionSQL):
-            resolved = plugin(action)  # type: ignore[arg-type]
-        else:
-            resolved = plugin  # type: ignore[assignment]
-        if not isinstance(resolved, PermissionSQL):
-            raise TypeError("Plugin providers must return PermissionSQL instances")
-        resolved_plugins.append(resolved)
-
-        # Collect restriction SQL filters
-        if resolved.restriction_sql:
-            restriction_sqls.append(resolved.restriction_sql)
-
-    union_sql, rule_params = build_rules_union(actor, resolved_plugins)
-    all_params = {
-        **(candidate_params or {}),
-        **rule_params,
-        "action": action,
-    }
-
-    sql = f"""
-    WITH
-    cands AS (
-        {candidate_sql}
-    ),
-    rules AS (
-        {union_sql}
-    ),
-    matched AS (
-        SELECT
-            c.parent, c.child,
-            r.allow, r.reason, r.source_plugin,
-            CASE
-              WHEN r.child  IS NOT NULL THEN 2  -- child-level (most specific)
-              WHEN r.parent IS NOT NULL THEN 1  -- parent-level
-              ELSE 0                            -- root/global
-            END AS depth
-        FROM cands c
-        JOIN rules r
-          ON (r.parent IS NULL OR r.parent = c.parent)
-         AND (r.child  IS NULL OR r.child  = c.child)
-    ),
-    ranked AS (
-        SELECT *,
-               ROW_NUMBER() OVER (
-                 PARTITION BY parent, child
-                 ORDER BY
-                   depth DESC,                          -- specificity first
-                   CASE WHEN allow=0 THEN 0 ELSE 1 END, -- then deny over allow at same depth
-                   source_plugin                        -- stable tie-break
-               ) AS rn
-        FROM matched
-    ),
-    winner AS (
-        SELECT parent, child,
-               allow, reason, source_plugin, depth
-        FROM ranked WHERE rn = 1
-    )
-    SELECT
-      c.parent, c.child,
-      COALESCE(w.allow, CASE WHEN :implicit_deny THEN 0 ELSE NULL END) AS allow,
-      COALESCE(w.reason, CASE WHEN :implicit_deny THEN 'implicit deny' ELSE NULL END) AS reason,
-      w.source_plugin,
-      COALESCE(w.depth, -1) AS depth,
-      :action AS action,
-      CASE
-        WHEN c.parent IS NULL THEN '/'
-        WHEN c.child  IS NULL THEN '/' || c.parent
-        ELSE '/' || c.parent || '/' || c.child
-      END AS resource
-    FROM cands c
-    LEFT JOIN winner w
-      ON ((w.parent = c.parent) OR (w.parent IS NULL AND c.parent IS NULL))
-     AND ((w.child  = c.child ) OR (w.child  IS NULL AND c.child  IS NULL))
-    ORDER BY c.parent, c.child
-    """
-
-    # If there are restriction filters, wrap the query with INTERSECT
-    # This ensures only resources in the restriction allowlist are returned
-    if restriction_sqls:
-        # Start with the main query, but select only parent/child for the INTERSECT
-        main_query_for_intersect = f"""
-        WITH
-        cands AS (
-            {candidate_sql}
-        ),
-        rules AS (
-            {union_sql}
-        ),
-        matched AS (
-            SELECT
-                c.parent, c.child,
-                r.allow, r.reason, r.source_plugin,
-                CASE
-                  WHEN r.child  IS NOT NULL THEN 2  -- child-level (most specific)
-                  WHEN r.parent IS NOT NULL THEN 1  -- parent-level
-                  ELSE 0                            -- root/global
-                END AS depth
-            FROM cands c
-            JOIN rules r
-              ON (r.parent IS NULL OR r.parent = c.parent)
-             AND (r.child  IS NULL OR r.child  = c.child)
-        ),
-        ranked AS (
-            SELECT *,
-                   ROW_NUMBER() OVER (
-                     PARTITION BY parent, child
-                     ORDER BY
-                       depth DESC,                          -- specificity first
-                       CASE WHEN allow=0 THEN 0 ELSE 1 END, -- then deny over allow at same depth
-                       source_plugin                        -- stable tie-break
-                   ) AS rn
-            FROM matched
-        ),
-        winner AS (
-            SELECT parent, child,
-                   allow, reason, source_plugin, depth
-            FROM ranked WHERE rn = 1
-        ),
-        permitted_resources AS (
-            SELECT c.parent, c.child
-            FROM cands c
-            LEFT JOIN winner w
-              ON ((w.parent = c.parent) OR (w.parent IS NULL AND c.parent IS NULL))
-             AND ((w.child  = c.child ) OR (w.child  IS NULL AND c.child  IS NULL))
-            WHERE COALESCE(w.allow, CASE WHEN :implicit_deny THEN 0 ELSE NULL END) = 1
-        )
-        SELECT parent, child FROM permitted_resources
-        """
-
-        # Build restriction list with INTERSECT (all must match)
-        # Then filter to resources that match hierarchically
-        # Wrap each restriction_sql in a subquery to avoid operator precedence issues
-        # with UNION ALL inside the restriction SQL statements
-        restriction_intersect = "\nINTERSECT\n".join(
-            f"SELECT * FROM ({sql})" for sql in restriction_sqls
-        )
-
-        # Combine: resources allowed by permissions AND in restriction allowlist
-        # Database-level restrictions (parent, NULL) should match all children (parent, *)
-        filtered_resources = f"""
-        WITH restriction_list AS (
-            {restriction_intersect}
-        ),
-        permitted AS (
-            {main_query_for_intersect}
-        ),
-        filtered AS (
-            SELECT p.parent, p.child
-            FROM permitted p
-            WHERE EXISTS (
-                SELECT 1 FROM restriction_list r
-                WHERE (r.parent = p.parent OR r.parent IS NULL)
-                  AND (r.child = p.child OR r.child IS NULL)
-            )
-        )
-        """
-
-        # Now join back to get full results for only the filtered resources
-        sql = f"""
-        {filtered_resources}
-        , cands AS (
-            {candidate_sql}
-        ),
-        rules AS (
-            {union_sql}
-        ),
-        matched AS (
-            SELECT
-                c.parent, c.child,
-                r.allow, r.reason, r.source_plugin,
-                CASE
-                  WHEN r.child  IS NOT NULL THEN 2  -- child-level (most specific)
-                  WHEN r.parent IS NOT NULL THEN 1  -- parent-level
-                  ELSE 0                            -- root/global
-                END AS depth
-            FROM cands c
-            JOIN rules r
-              ON (r.parent IS NULL OR r.parent = c.parent)
-             AND (r.child  IS NULL OR r.child  = c.child)
-        ),
-        ranked AS (
-            SELECT *,
-                   ROW_NUMBER() OVER (
-                     PARTITION BY parent, child
-                     ORDER BY
-                       depth DESC,                          -- specificity first
-                       CASE WHEN allow=0 THEN 0 ELSE 1 END, -- then deny over allow at same depth
-                       source_plugin                        -- stable tie-break
-                   ) AS rn
-            FROM matched
-        ),
-        winner AS (
-            SELECT parent, child,
-                   allow, reason, source_plugin, depth
-            FROM ranked WHERE rn = 1
-        )
-        SELECT
-          c.parent, c.child,
-          COALESCE(w.allow, CASE WHEN :implicit_deny THEN 0 ELSE NULL END) AS allow,
-          COALESCE(w.reason, CASE WHEN :implicit_deny THEN 'implicit deny' ELSE NULL END) AS reason,
-          w.source_plugin,
-          COALESCE(w.depth, -1) AS depth,
-          :action AS action,
-          CASE
-            WHEN c.parent IS NULL THEN '/'
-            WHEN c.child  IS NULL THEN '/' || c.parent
-            ELSE '/' || c.parent || '/' || c.child
-          END AS resource
-        FROM filtered c
-        LEFT JOIN winner w
-          ON ((w.parent = c.parent) OR (w.parent IS NULL AND c.parent IS NULL))
-         AND ((w.child  = c.child ) OR (w.child  IS NULL AND c.child  IS NULL))
-        ORDER BY c.parent, c.child
-        """
-
-    rows_iter: Iterable[sqlite3.Row] = await db.execute(
-        sql,
-        {**all_params, "implicit_deny": 1 if implicit_deny else 0},
-    )
-    return [dict(r) for r in rows_iter]
-
-
-async def resolve_permissions_with_candidates(
-    db,
-    actor: dict | None,
-    plugins: Sequence[Any],
-    candidates: List[Tuple[str, str | None]],
-    action: str,
-    *,
-    implicit_deny: bool = True,
-) -> List[Dict[str, Any]]:
-    """
-    Resolve permissions without any external candidate table by embedding
-    the candidates as a UNION of parameterized SELECTs in a CTE.
-
-    candidates: list of (parent, child) where child can be None for parent-scoped actions.
-    actor: actor dict (or None), made available as :actor (JSON), :actor_id, and :action
-    """
-    # Build a small CTE for candidates.
-    cand_rows_sql: List[str] = []
-    cand_params: Dict[str, Any] = {}
-    for i, (parent, child) in enumerate(candidates):
-        pkey = f"cand_p_{i}"
-        ckey = f"cand_c_{i}"
-        cand_params[pkey] = parent
-        cand_params[ckey] = child
-        cand_rows_sql.append(f"SELECT :{pkey} AS parent, :{ckey} AS child")
-    candidate_sql = (
-        "\nUNION ALL\n".join(cand_rows_sql)
-        if cand_rows_sql
-        else "SELECT NULL AS parent, NULL AS child WHERE 0"
-    )
-
-    return await resolve_permissions_from_catalog(
-        db,
-        actor,
-        plugins,
-        action,
-        candidate_sql=candidate_sql,
-        candidate_params=cand_params,
-        implicit_deny=implicit_deny,
-    )
diff --git a/datasette/version.py b/datasette/version.py
index fff37a72..c1318c6f 100644
--- a/datasette/version.py
+++ b/datasette/version.py
@@ -1,2 +1,2 @@
-__version__ = "1.0a23"
+__version__ = "1.0a19"
 __version_info__ = tuple(__version__.split("."))
diff --git a/datasette/views/base.py b/datasette/views/base.py
index 5216924f..bdc9f742 100644
--- a/datasette/views/base.py
+++ b/datasette/views/base.py
@@ -1,7 +1,6 @@
 import asyncio
 import csv
 import hashlib
-import json
 import sys
 import textwrap
 import time
diff --git a/datasette/views/database.py b/datasette/views/database.py
index 51c752a0..33ee07b3 100644
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@@ -9,10 +9,10 @@ import os
 import re
 import sqlite_utils
 import textwrap
+from typing import List
 
 from datasette.events import AlterTableEvent, CreateTableEvent, InsertRowsEvent
 from datasette.database import QueryInterrupted
-from datasette.resources import DatabaseResource, QueryResource
 from datasette.utils import (
     add_cors_headers,
     await_me_maybe,
@@ -35,7 +35,6 @@ from datasette.utils.asgi import AsgiFileDownload, NotFound, Response, Forbidden
 from datasette.plugins import pm
 
 from .base import BaseView, DatasetteError, View, _error, stream_csv
-from . import Context
 
 
 class DatabaseView(View):
@@ -49,8 +48,10 @@ class DatabaseView(View):
 
         visible, private = await datasette.check_visibility(
             request.actor,
-            action="view-database",
-            resource=DatabaseResource(database=database),
+            permissions=[
+                ("view-database", database),
+                "view-instance",
+            ],
         )
         if not visible:
             raise Forbidden("You do not have permission to view this database")
@@ -69,46 +70,40 @@ class DatabaseView(View):
 
         metadata = await datasette.get_database_metadata(database)
 
-        # Get all tables/views this actor can see in bulk with private flag
-        allowed_tables_page = await datasette.allowed_resources(
-            "view-table",
-            request.actor,
-            parent=database,
-            include_is_private=True,
-            limit=1000,
-        )
-        # Create lookup dict for quick access
-        allowed_dict = {r.child: r for r in allowed_tables_page.resources}
-
-        # Filter to just views
-        view_names_set = set(await db.view_names())
-        sql_views = [
-            {"name": name, "private": allowed_dict[name].private}
-            for name in allowed_dict
-            if name in view_names_set
-        ]
-
-        tables = await get_tables(datasette, request, db, allowed_dict)
-
-        # Get allowed queries using the new permission system
-        allowed_query_page = await datasette.allowed_resources(
-            "view-query",
-            request.actor,
-            parent=database,
-            include_is_private=True,
-            limit=1000,
-        )
-
-        # Build canned_queries list by looking up each allowed query
-        all_queries = await datasette.get_canned_queries(database, request.actor)
-        canned_queries = []
-        for query_resource in allowed_query_page.resources:
-            query_name = query_resource.child
-            if query_name in all_queries:
-                canned_queries.append(
-                    dict(all_queries[query_name], private=query_resource.private)
+        sql_views = []
+        for view_name in await db.view_names():
+            view_visible, view_private = await datasette.check_visibility(
+                request.actor,
+                permissions=[
+                    ("view-table", (database, view_name)),
+                    ("view-database", database),
+                    "view-instance",
+                ],
+            )
+            if view_visible:
+                sql_views.append(
+                    {
+                        "name": view_name,
+                        "private": view_private,
+                    }
                 )
 
+        tables = await get_tables(datasette, request, db)
+        canned_queries = []
+        for query in (
+            await datasette.get_canned_queries(database, request.actor)
+        ).values():
+            query_visible, query_private = await datasette.check_visibility(
+                request.actor,
+                permissions=[
+                    ("view-query", (database, query["name"])),
+                    ("view-database", database),
+                    "view-instance",
+                ],
+            )
+            if query_visible:
+                canned_queries.append(dict(query, private=query_private))
+
         async def database_actions():
             links = []
             for hook in pm.hook.database_actions(
@@ -124,10 +119,8 @@ class DatabaseView(View):
 
         attached_databases = [d.name for d in await db.attached_databases()]
 
-        allow_execute_sql = await datasette.allowed(
-            action="execute-sql",
-            resource=DatabaseResource(database=database),
-            actor=request.actor,
+        allow_execute_sql = await datasette.permission_allowed(
+            request.actor, "execute-sql", database
         )
         json_data = {
             "database": database,
@@ -159,43 +152,31 @@ class DatabaseView(View):
         templates = (f"database-{to_css_class(database)}.html", "database.html")
         environment = datasette.get_jinja_environment(request)
         template = environment.select_template(templates)
+        context = {
+            **json_data,
+            "database_color": db.color,
+            "database_actions": database_actions,
+            "show_hidden": request.args.get("_show_hidden"),
+            "editable": True,
+            "metadata": metadata,
+            "count_limit": db.count_limit,
+            "allow_download": datasette.setting("allow_download")
+            and not db.is_mutable
+            and not db.is_memory,
+            "attached_databases": attached_databases,
+            "alternate_url_json": alternate_url_json,
+            "select_templates": [
+                f"{'*' if template_name == template.name else ''}{template_name}"
+                for template_name in templates
+            ],
+            "top_database": make_slot_function(
+                "top_database", datasette, request, database=database
+            ),
+        }
         return Response.html(
             await datasette.render_template(
                 templates,
-                DatabaseContext(
-                    database=database,
-                    private=private,
-                    path=datasette.urls.database(database),
-                    size=db.size,
-                    tables=tables,
-                    hidden_count=len([t for t in tables if t["hidden"]]),
-                    views=sql_views,
-                    queries=canned_queries,
-                    allow_execute_sql=allow_execute_sql,
-                    table_columns=(
-                        await _table_columns(datasette, database)
-                        if allow_execute_sql
-                        else {}
-                    ),
-                    metadata=metadata,
-                    database_color=db.color,
-                    database_actions=database_actions,
-                    show_hidden=request.args.get("_show_hidden"),
-                    editable=True,
-                    count_limit=db.count_limit,
-                    allow_download=datasette.setting("allow_download")
-                    and not db.is_mutable
-                    and not db.is_memory,
-                    attached_databases=attached_databases,
-                    alternate_url_json=alternate_url_json,
-                    select_templates=[
-                        f"{'*' if template_name == template.name else ''}{template_name}"
-                        for template_name in templates
-                    ],
-                    top_database=make_slot_function(
-                        "top_database", datasette, request, database=database
-                    ),
-                ),
+                context,
                 request=request,
                 view_name="database",
             ),
@@ -208,56 +189,7 @@ class DatabaseView(View):
 
 
 @dataclass
-class DatabaseContext(Context):
-    database: str = field(metadata={"help": "The name of the database"})
-    private: bool = field(
-        metadata={"help": "Boolean indicating if this is a private database"}
-    )
-    path: str = field(metadata={"help": "The URL path to this database"})
-    size: int = field(metadata={"help": "The size of the database in bytes"})
-    tables: list = field(metadata={"help": "List of table objects in the database"})
-    hidden_count: int = field(metadata={"help": "Count of hidden tables"})
-    views: list = field(metadata={"help": "List of view objects in the database"})
-    queries: list = field(metadata={"help": "List of canned query objects"})
-    allow_execute_sql: bool = field(
-        metadata={"help": "Boolean indicating if custom SQL can be executed"}
-    )
-    table_columns: dict = field(
-        metadata={"help": "Dictionary mapping table names to their column lists"}
-    )
-    metadata: dict = field(metadata={"help": "Metadata for the database"})
-    database_color: str = field(metadata={"help": "The color assigned to the database"})
-    database_actions: callable = field(
-        metadata={
-            "help": "Callable returning list of action links for the database menu"
-        }
-    )
-    show_hidden: str = field(metadata={"help": "Value of _show_hidden query parameter"})
-    editable: bool = field(
-        metadata={"help": "Boolean indicating if the database is editable"}
-    )
-    count_limit: int = field(metadata={"help": "The maximum number of rows to count"})
-    allow_download: bool = field(
-        metadata={"help": "Boolean indicating if database download is allowed"}
-    )
-    attached_databases: list = field(
-        metadata={"help": "List of names of attached databases"}
-    )
-    alternate_url_json: str = field(
-        metadata={"help": "URL for the alternate JSON version of this page"}
-    )
-    select_templates: list = field(
-        metadata={
-            "help": "List of templates that were considered for rendering this page"
-        }
-    )
-    top_database: callable = field(
-        metadata={"help": "Callable to render the top_database slot"}
-    )
-
-
-@dataclass
-class QueryContext(Context):
+class QueryContext:
     database: str = field(metadata={"help": "The name of the database being queried"})
     database_color: str = field(metadata={"help": "The color of the database"})
     query: dict = field(
@@ -338,25 +270,24 @@ class QueryContext(Context):
     )
 
 
-async def get_tables(datasette, request, db, allowed_dict):
-    """
-    Get list of tables with metadata for the database view.
-
-    Args:
-        datasette: The Datasette instance
-        request: The current request
-        db: The database
-        allowed_dict: Dict mapping table name -> Resource object with .private attribute
-    """
+async def get_tables(datasette, request, db):
     tables = []
+    database = db.name
     table_counts = await db.table_counts(100)
     hidden_table_names = set(await db.hidden_table_names())
     all_foreign_keys = await db.get_all_foreign_keys()
 
     for table in table_counts:
-        if table not in allowed_dict:
+        table_visible, table_private = await datasette.check_visibility(
+            request.actor,
+            permissions=[
+                ("view-table", (database, table)),
+                ("view-database", database),
+                "view-instance",
+            ],
+        )
+        if not table_visible:
             continue
-
         table_columns = await db.table_columns(table)
         tables.append(
             {
@@ -367,7 +298,7 @@ async def get_tables(datasette, request, db, allowed_dict):
                 "hidden": table in hidden_table_names,
                 "fts_table": await db.fts_table(table),
                 "foreign_keys": all_foreign_keys[table],
-                "private": allowed_dict[table].private,
+                "private": table_private,
             }
         )
     tables.sort(key=lambda t: (t["hidden"], t["name"]))
@@ -375,13 +306,14 @@ async def get_tables(datasette, request, db, allowed_dict):
 
 
 async def database_download(request, datasette):
-    from datasette.resources import DatabaseResource
-
     database = tilde_decode(request.url_vars["database"])
-    await datasette.ensure_permission(
-        action="view-database-download",
-        resource=DatabaseResource(database=database),
-        actor=request.actor,
+    await datasette.ensure_permissions(
+        request.actor,
+        [
+            ("view-database-download", database),
+            ("view-database", database),
+            "view-instance",
+        ],
     )
     try:
         db = datasette.get_database(route=database)
@@ -515,17 +447,6 @@ class QueryView(View):
         db = await datasette.resolve_database(request)
         database = db.name
 
-        # Get all tables/views this actor can see in bulk with private flag
-        allowed_tables_page = await datasette.allowed_resources(
-            "view-table",
-            request.actor,
-            parent=database,
-            include_is_private=True,
-            limit=1000,
-        )
-        # Create lookup dict for quick access
-        allowed_dict = {r.child: r for r in allowed_tables_page.resources}
-
         # Are we a canned query?
         canned_query = None
         canned_query_write = False
@@ -546,17 +467,18 @@ class QueryView(View):
             # Respect canned query permissions
             visible, private = await datasette.check_visibility(
                 request.actor,
-                action="view-query",
-                resource=QueryResource(database=database, query=canned_query["name"]),
+                permissions=[
+                    ("view-query", (database, canned_query["name"])),
+                    ("view-database", database),
+                    "view-instance",
+                ],
             )
             if not visible:
                 raise Forbidden("You do not have permission to view this query")
 
         else:
-            await datasette.ensure_permission(
-                action="execute-sql",
-                resource=DatabaseResource(database=database),
-                actor=request.actor,
+            await datasette.ensure_permissions(
+                request.actor, [("execute-sql", database)]
             )
 
         # Flattened because of ?sql=&name1=value1&name2=value2 feature
@@ -735,10 +657,8 @@ class QueryView(View):
                         path_with_format(request=request, format=key)
                     )
 
-            allow_execute_sql = await datasette.allowed(
-                action="execute-sql",
-                resource=DatabaseResource(database=database),
-                actor=request.actor,
+            allow_execute_sql = await datasette.permission_allowed(
+                request.actor, "execute-sql", database
             )
 
             show_hide_hidden = ""
@@ -826,7 +746,7 @@ class QueryView(View):
                         show_hide_text=show_hide_text,
                         editable=not canned_query,
                         allow_execute_sql=allow_execute_sql,
-                        tables=await get_tables(datasette, request, db, allowed_dict),
+                        tables=await get_tables(datasette, request, db),
                         named_parameter_values=named_parameter_values,
                         edit_sql_url=edit_sql_url,
                         display_rows=await display_rows(
@@ -948,10 +868,8 @@ class TableCreateView(BaseView):
         database_name = db.name
 
         # Must have create-table permission
-        if not await self.ds.allowed(
-            action="create-table",
-            resource=DatabaseResource(database=database_name),
-            actor=request.actor,
+        if not await self.ds.permission_allowed(
+            request.actor, "create-table", resource=database_name
         ):
             return _error(["Permission denied"], 403)
 
@@ -987,10 +905,8 @@ class TableCreateView(BaseView):
 
         if replace:
             # Must have update-row permission
-            if not await self.ds.allowed(
-                action="update-row",
-                resource=DatabaseResource(database=database_name),
-                actor=request.actor,
+            if not await self.ds.permission_allowed(
+                request.actor, "update-row", resource=database_name
             ):
                 return _error(["Permission denied: need update-row"], 403)
 
@@ -1013,10 +929,8 @@ class TableCreateView(BaseView):
 
         if rows or row:
             # Must have insert-row permission
-            if not await self.ds.allowed(
-                action="insert-row",
-                resource=DatabaseResource(database=database_name),
-                actor=request.actor,
+            if not await self.ds.permission_allowed(
+                request.actor, "insert-row", resource=database_name
             ):
                 return _error(["Permission denied: need insert-row"], 403)
 
@@ -1028,10 +942,8 @@ class TableCreateView(BaseView):
             else:
                 # alter=True only if they request it AND they have permission
                 if data.get("alter"):
-                    if not await self.ds.allowed(
-                        action="alter-table",
-                        resource=DatabaseResource(database=database_name),
-                        actor=request.actor,
+                    if not await self.ds.permission_allowed(
+                        request.actor, "alter-table", resource=database_name
                     ):
                         return _error(["Permission denied: need alter-table"], 403)
                     alter = True
diff --git a/datasette/views/index.py b/datasette/views/index.py
index a59c687c..63cc067d 100644
--- a/datasette/views/index.py
+++ b/datasette/views/index.py
@@ -25,49 +25,28 @@ class IndexView(BaseView):
 
     async def get(self, request):
         as_format = request.url_vars["format"]
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
-
-        # Get all allowed databases and tables in bulk
-        db_page = await self.ds.allowed_resources(
-            "view-database", request.actor, include_is_private=True
-        )
-        allowed_databases = [r async for r in db_page.all()]
-        allowed_db_dict = {r.parent: r for r in allowed_databases}
-
-        # Group tables by database
-        tables_by_db = {}
-        table_page = await self.ds.allowed_resources(
-            "view-table", request.actor, include_is_private=True
-        )
-        async for t in table_page.all():
-            if t.parent not in tables_by_db:
-                tables_by_db[t.parent] = {}
-            tables_by_db[t.parent][t.child] = t
-
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
         databases = []
-        # Iterate over allowed databases instead of all databases
-        for name in allowed_db_dict.keys():
-            db = self.ds.databases[name]
-            database_private = allowed_db_dict[name].private
-
-            # Get allowed tables/views for this database
-            allowed_for_db = tables_by_db.get(name, {})
-
-            # Get table names from allowed set instead of db.table_names()
-            table_names = [child_name for child_name in allowed_for_db.keys()]
-
+        for name, db in self.ds.databases.items():
+            database_visible, database_private = await self.ds.check_visibility(
+                request.actor,
+                "view-database",
+                name,
+            )
+            if not database_visible:
+                continue
+            table_names = await db.table_names()
             hidden_table_names = set(await db.hidden_table_names())
 
-            # Determine which allowed items are views
-            view_names_set = set(await db.view_names())
-            views = [
-                {"name": child_name, "private": resource.private}
-                for child_name, resource in allowed_for_db.items()
-                if child_name in view_names_set
-            ]
-
-            # Filter to just tables (not views) for table processing
-            table_names = [name for name in table_names if name not in view_names_set]
+            views = []
+            for view_name in await db.view_names():
+                view_visible, view_private = await self.ds.check_visibility(
+                    request.actor,
+                    "view-table",
+                    (name, view_name),
+                )
+                if view_visible:
+                    views.append({"name": view_name, "private": view_private})
 
             # Perform counts only for immutable or DBS with <= COUNT_TABLE_LIMIT tables
             table_counts = {}
@@ -79,10 +58,13 @@ class IndexView(BaseView):
 
             tables = {}
             for table in table_names:
-                # Check if table is in allowed set
-                if table not in allowed_for_db:
+                visible, private = await self.ds.check_visibility(
+                    request.actor,
+                    "view-table",
+                    (name, table),
+                )
+                if not visible:
                     continue
-
                 table_columns = await db.table_columns(table)
                 tables[table] = {
                     "name": table,
@@ -92,7 +74,7 @@ class IndexView(BaseView):
                     "hidden": table in hidden_table_names,
                     "fts_table": await db.fts_table(table),
                     "num_relationships_for_sorting": 0,
-                    "private": allowed_for_db[table].private,
+                    "private": private,
                 }
 
             if request.args.get("_sort") == "relationships" or not table_counts:
@@ -178,8 +160,8 @@ class IndexView(BaseView):
                     "databases": databases,
                     "metadata": await self.ds.get_instance_metadata(),
                     "datasette_version": __version__,
-                    "private": not await self.ds.allowed(
-                        action="view-instance", actor=None
+                    "private": not await self.ds.permission_allowed(
+                        None, "view-instance"
                     ),
                     "top_homepage": make_slot_function(
                         "top_homepage", self.ds, request
diff --git a/datasette/views/row.py b/datasette/views/row.py
index c9b74b12..f374fd94 100644
--- a/datasette/views/row.py
+++ b/datasette/views/row.py
@@ -1,7 +1,6 @@
 from datasette.utils.asgi import NotFound, Forbidden, Response
 from datasette.database import QueryInterrupted
 from datasette.events import UpdateRowEvent, DeleteRowEvent
-from datasette.resources import TableResource
 from .base import DataView, BaseView, _error
 from datasette.utils import (
     await_me_maybe,
@@ -28,8 +27,11 @@ class RowView(DataView):
         # Ensure user has permission to view this row
         visible, private = await self.ds.check_visibility(
             request.actor,
-            action="view-table",
-            resource=TableResource(database=database, table=table),
+            permissions=[
+                ("view-table", (database, table)),
+                ("view-database", database),
+                "view-instance",
+            ],
         )
         if not visible:
             raise Forbidden("You do not have permission to view this table")
@@ -182,10 +184,8 @@ async def _resolve_row_and_check_permission(datasette, request, permission):
         return False, _error(["Record not found: {}".format(e.pk_values)], 404)
 
     # Ensure user has permission to delete this row
-    if not await datasette.allowed(
-        action=permission,
-        resource=TableResource(database=resolved.db.name, table=resolved.table),
-        actor=request.actor,
+    if not await datasette.permission_allowed(
+        request.actor, permission, resource=(resolved.db.name, resolved.table)
     ):
         return False, _error(["Permission denied"], 403)
 
@@ -247,7 +247,7 @@ class RowUpdateView(BaseView):
 
         if not isinstance(data, dict):
             return _error(["JSON must be a dictionary"])
-        if "update" not in data or not isinstance(data["update"], dict):
+        if not "update" in data or not isinstance(data["update"], dict):
             return _error(["JSON must contain an update dictionary"])
 
         invalid_keys = set(data.keys()) - {"update", "return", "alter"}
@@ -257,10 +257,8 @@ class RowUpdateView(BaseView):
         update = data["update"]
 
         alter = data.get("alter")
-        if alter and not await self.ds.allowed(
-            action="alter-table",
-            resource=TableResource(database=resolved.db.name, table=resolved.table),
-            actor=request.actor,
+        if alter and not await self.ds.permission_allowed(
+            request.actor, "alter-table", resource=(resolved.db.name, resolved.table)
         ):
             return _error(["Permission denied for alter-table"], 403)
 
diff --git a/datasette/views/special.py b/datasette/views/special.py
index 411363ec..e6fbc9f3 100644
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@@ -1,7 +1,5 @@
 import json
-import logging
 from datasette.events import LogoutEvent, LoginEvent, CreateTokenEvent
-from datasette.resources import DatabaseResource, TableResource
 from datasette.utils.asgi import Response, Forbidden
 from datasette.utils import (
     actor_matches_allow,
@@ -14,20 +12,8 @@ import secrets
 import urllib
 
 
-logger = logging.getLogger(__name__)
-
-
-def _resource_path(parent, child):
-    if parent is None:
-        return "/"
-    if child is None:
-        return f"/{parent}"
-    return f"/{parent}/{child}"
-
-
 class JsonDataView(BaseView):
     name = "json_data"
-    template = "show_json.html"  # Can be overridden in subclasses
 
     def __init__(
         self,
@@ -36,50 +22,45 @@ class JsonDataView(BaseView):
         data_callback,
         needs_request=False,
         permission="view-instance",
-        template=None,
     ):
         self.ds = datasette
         self.filename = filename
         self.data_callback = data_callback
         self.needs_request = needs_request
         self.permission = permission
-        if template is not None:
-            self.template = template
 
     async def get(self, request):
+        as_format = request.url_vars["format"]
         if self.permission:
-            await self.ds.ensure_permission(action=self.permission, actor=request.actor)
+            await self.ds.ensure_permissions(request.actor, [self.permission])
         if self.needs_request:
             data = self.data_callback(request)
         else:
             data = self.data_callback()
-
-        # Return JSON or HTML depending on format parameter
-        as_format = request.url_vars.get("format")
         if as_format:
             headers = {}
             if self.ds.cors:
                 add_cors_headers(headers)
-            return Response.json(data, headers=headers)
+            return Response(
+                json.dumps(data, default=repr),
+                content_type="application/json; charset=utf-8",
+                headers=headers,
+            )
+
         else:
-            context = {
-                "filename": self.filename,
-                "data": data,
-                "data_json": json.dumps(data, indent=4, default=repr),
-            }
-            # Add has_debug_permission if this view requires permissions-debug
-            if self.permission == "permissions-debug":
-                context["has_debug_permission"] = True
             return await self.render(
-                [self.template],
+                ["show_json.html"],
                 request=request,
-                context=context,
+                context={
+                    "filename": self.filename,
+                    "data_json": json.dumps(data, indent=4, default=repr),
+                },
             )
 
 
 class PatternPortfolioView(View):
     async def get(self, request, datasette):
-        await datasette.ensure_permission(action="view-instance", actor=request.actor)
+        await datasette.ensure_permissions(request.actor, ["view-instance"])
         return Response.html(
             await datasette.render_template(
                 "patterns.html",
@@ -137,422 +118,74 @@ class PermissionsDebugView(BaseView):
     has_json_alternate = False
 
     async def get(self, request):
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
-        await self.ds.ensure_permission(action="permissions-debug", actor=request.actor)
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
+        if not await self.ds.permission_allowed(request.actor, "permissions-debug"):
+            raise Forbidden("Permission denied")
         filter_ = request.args.get("filter") or "all"
         permission_checks = list(reversed(self.ds._permission_checks))
         if filter_ == "exclude-yours":
             permission_checks = [
                 check
                 for check in permission_checks
-                if (check.actor or {}).get("id") != request.actor["id"]
+                if (check["actor"] or {}).get("id") != request.actor["id"]
             ]
         elif filter_ == "only-yours":
             permission_checks = [
                 check
                 for check in permission_checks
-                if (check.actor or {}).get("id") == request.actor["id"]
+                if (check["actor"] or {}).get("id") == request.actor["id"]
             ]
         return await self.render(
-            ["debug_permissions_playground.html"],
+            ["permissions_debug.html"],
             request,
             # list() avoids error if check is performed during template render:
             {
                 "permission_checks": permission_checks,
                 "filter": filter_,
-                "has_debug_permission": True,
                 "permissions": [
                     {
                         "name": p.name,
                         "abbr": p.abbr,
                         "description": p.description,
-                        "takes_parent": p.takes_parent,
-                        "takes_child": p.takes_child,
+                        "takes_database": p.takes_database,
+                        "takes_resource": p.takes_resource,
+                        "default": p.default,
                     }
-                    for p in self.ds.actions.values()
+                    for p in self.ds.permissions.values()
                 ],
             },
         )
 
     async def post(self, request):
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
-        await self.ds.ensure_permission(action="permissions-debug", actor=request.actor)
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
+        if not await self.ds.permission_allowed(request.actor, "permissions-debug"):
+            raise Forbidden("Permission denied")
         vars = await request.post_vars()
         actor = json.loads(vars["actor"])
         permission = vars["permission"]
-        parent = vars.get("resource_1") or None
-        child = vars.get("resource_2") or None
-
-        response, status = await _check_permission_for_actor(
-            self.ds, permission, parent, child, actor
+        resource_1 = vars["resource_1"]
+        resource_2 = vars["resource_2"]
+        resource = []
+        if resource_1:
+            resource.append(resource_1)
+        if resource_2:
+            resource.append(resource_2)
+        resource = tuple(resource)
+        if len(resource) == 1:
+            resource = resource[0]
+        result = await self.ds.permission_allowed(
+            actor, permission, resource, default="USE_DEFAULT"
         )
-        return Response.json(response, status=status)
-
-
-class AllowedResourcesView(BaseView):
-    name = "allowed"
-    has_json_alternate = False
-
-    async def get(self, request):
-        await self.ds.refresh_schemas()
-
-        # Check if user has permissions-debug (to show sensitive fields)
-        has_debug_permission = await self.ds.allowed(
-            action="permissions-debug", actor=request.actor
+        return Response.json(
+            {
+                "actor": actor,
+                "permission": permission,
+                "resource": resource,
+                "result": result,
+                "default": self.ds.permissions[permission].default,
+            }
         )
 
-        # Check if this is a request for JSON (has .json extension)
-        as_format = request.url_vars.get("format")
-
-        if not as_format:
-            # Render the HTML form (even if query parameters are present)
-            # Put most common/interesting actions first
-            priority_actions = [
-                "view-instance",
-                "view-database",
-                "view-table",
-                "view-query",
-                "execute-sql",
-                "insert-row",
-                "update-row",
-                "delete-row",
-            ]
-            actions = list(self.ds.actions.keys())
-            # Priority actions first (in order), then remaining alphabetically
-            sorted_actions = [a for a in priority_actions if a in actions]
-            sorted_actions.extend(
-                sorted(a for a in actions if a not in priority_actions)
-            )
-
-            return await self.render(
-                ["debug_allowed.html"],
-                request,
-                {
-                    "supported_actions": sorted_actions,
-                    "has_debug_permission": has_debug_permission,
-                },
-            )
-
-        payload, status = await self._allowed_payload(request, has_debug_permission)
-        headers = {}
-        if self.ds.cors:
-            add_cors_headers(headers)
-        return Response.json(payload, status=status, headers=headers)
-
-    async def _allowed_payload(self, request, has_debug_permission):
-        action = request.args.get("action")
-        if not action:
-            return {"error": "action parameter is required"}, 400
-        if action not in self.ds.actions:
-            return {"error": f"Unknown action: {action}"}, 404
-
-        actor = request.actor if isinstance(request.actor, dict) else None
-        actor_id = actor.get("id") if actor else None
-        parent_filter = request.args.get("parent")
-        child_filter = request.args.get("child")
-        if child_filter and not parent_filter:
-            return {"error": "parent must be provided when child is specified"}, 400
-
-        try:
-            page = int(request.args.get("page", "1"))
-            page_size = int(request.args.get("page_size", "50"))
-        except ValueError:
-            return {"error": "page and page_size must be integers"}, 400
-        if page < 1:
-            return {"error": "page must be >= 1"}, 400
-        if page_size < 1:
-            return {"error": "page_size must be >= 1"}, 400
-        max_page_size = 200
-        if page_size > max_page_size:
-            page_size = max_page_size
-        offset = (page - 1) * page_size
-
-        # Use the simplified allowed_resources method
-        # Collect all resources with optional reasons for debugging
-        try:
-            allowed_rows = []
-            result = await self.ds.allowed_resources(
-                action=action,
-                actor=actor,
-                parent=parent_filter,
-                include_reasons=has_debug_permission,
-            )
-            async for resource in result.all():
-                parent_val = resource.parent
-                child_val = resource.child
-
-                # Build resource path
-                if parent_val is None:
-                    resource_path = "/"
-                elif child_val is None:
-                    resource_path = f"/{parent_val}"
-                else:
-                    resource_path = f"/{parent_val}/{child_val}"
-
-                row = {
-                    "parent": parent_val,
-                    "child": child_val,
-                    "resource": resource_path,
-                }
-
-                # Add reason if we have it (from include_reasons=True)
-                if has_debug_permission and hasattr(resource, "reasons"):
-                    row["reason"] = resource.reasons
-
-                allowed_rows.append(row)
-        except Exception:
-            # If catalog tables don't exist yet, return empty results
-            return (
-                {
-                    "action": action,
-                    "actor_id": actor_id,
-                    "page": page,
-                    "page_size": page_size,
-                    "total": 0,
-                    "items": [],
-                },
-                200,
-            )
-
-        # Apply child filter if specified
-        if child_filter is not None:
-            allowed_rows = [row for row in allowed_rows if row["child"] == child_filter]
-
-        # Pagination
-        total = len(allowed_rows)
-        paged_rows = allowed_rows[offset : offset + page_size]
-
-        # Items are already in the right format
-        items = paged_rows
-
-        def build_page_url(page_number):
-            pairs = []
-            for key in request.args:
-                if key in {"page", "page_size"}:
-                    continue
-                for value in request.args.getlist(key):
-                    pairs.append((key, value))
-            pairs.append(("page", str(page_number)))
-            pairs.append(("page_size", str(page_size)))
-            query = urllib.parse.urlencode(pairs)
-            return f"{request.path}?{query}"
-
-        response = {
-            "action": action,
-            "actor_id": actor_id,
-            "page": page,
-            "page_size": page_size,
-            "total": total,
-            "items": items,
-        }
-
-        if total > offset + page_size:
-            response["next_url"] = build_page_url(page + 1)
-        if page > 1:
-            response["previous_url"] = build_page_url(page - 1)
-
-        return response, 200
-
-
-class PermissionRulesView(BaseView):
-    name = "permission_rules"
-    has_json_alternate = False
-
-    async def get(self, request):
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
-        await self.ds.ensure_permission(action="permissions-debug", actor=request.actor)
-
-        # Check if this is a request for JSON (has .json extension)
-        as_format = request.url_vars.get("format")
-
-        if not as_format:
-            # Render the HTML form (even if query parameters are present)
-            return await self.render(
-                ["debug_rules.html"],
-                request,
-                {
-                    "sorted_actions": sorted(self.ds.actions.keys()),
-                    "has_debug_permission": True,
-                },
-            )
-
-        # JSON API - action parameter is required
-        action = request.args.get("action")
-        if not action:
-            return Response.json({"error": "action parameter is required"}, status=400)
-        if action not in self.ds.actions:
-            return Response.json({"error": f"Unknown action: {action}"}, status=404)
-
-        actor = request.actor if isinstance(request.actor, dict) else None
-
-        try:
-            page = int(request.args.get("page", "1"))
-            page_size = int(request.args.get("page_size", "50"))
-        except ValueError:
-            return Response.json(
-                {"error": "page and page_size must be integers"}, status=400
-            )
-        if page < 1:
-            return Response.json({"error": "page must be >= 1"}, status=400)
-        if page_size < 1:
-            return Response.json({"error": "page_size must be >= 1"}, status=400)
-        max_page_size = 200
-        if page_size > max_page_size:
-            page_size = max_page_size
-        offset = (page - 1) * page_size
-
-        from datasette.utils.actions_sql import build_permission_rules_sql
-
-        union_sql, union_params, restriction_sqls = await build_permission_rules_sql(
-            self.ds, actor, action
-        )
-        await self.ds.refresh_schemas()
-        db = self.ds.get_internal_database()
-
-        count_query = f"""
-        WITH rules AS (
-            {union_sql}
-        )
-        SELECT COUNT(*) AS count
-        FROM rules
-        """
-        count_row = (await db.execute(count_query, union_params)).first()
-        total = count_row["count"] if count_row else 0
-
-        data_query = f"""
-        WITH rules AS (
-            {union_sql}
-        )
-        SELECT parent, child, allow, reason, source_plugin
-        FROM rules
-        ORDER BY allow DESC, (parent IS NOT NULL), parent, child
-        LIMIT :limit OFFSET :offset
-        """
-        params = {**union_params, "limit": page_size, "offset": offset}
-        rows = await db.execute(data_query, params)
-
-        items = []
-        for row in rows:
-            parent = row["parent"]
-            child = row["child"]
-            items.append(
-                {
-                    "parent": parent,
-                    "child": child,
-                    "resource": _resource_path(parent, child),
-                    "allow": row["allow"],
-                    "reason": row["reason"],
-                    "source_plugin": row["source_plugin"],
-                }
-            )
-
-        def build_page_url(page_number):
-            pairs = []
-            for key in request.args:
-                if key in {"page", "page_size"}:
-                    continue
-                for value in request.args.getlist(key):
-                    pairs.append((key, value))
-            pairs.append(("page", str(page_number)))
-            pairs.append(("page_size", str(page_size)))
-            query = urllib.parse.urlencode(pairs)
-            return f"{request.path}?{query}"
-
-        response = {
-            "action": action,
-            "actor_id": (actor or {}).get("id") if actor else None,
-            "page": page,
-            "page_size": page_size,
-            "total": total,
-            "items": items,
-        }
-
-        if total > offset + page_size:
-            response["next_url"] = build_page_url(page + 1)
-        if page > 1:
-            response["previous_url"] = build_page_url(page - 1)
-
-        headers = {}
-        if self.ds.cors:
-            add_cors_headers(headers)
-        return Response.json(response, headers=headers)
-
-
-async def _check_permission_for_actor(ds, action, parent, child, actor):
-    """Shared logic for checking permissions. Returns a dict with check results."""
-    if action not in ds.actions:
-        return {"error": f"Unknown action: {action}"}, 404
-
-    if child and not parent:
-        return {"error": "parent is required when child is provided"}, 400
-
-    # Use the action's properties to create the appropriate resource object
-    action_obj = ds.actions.get(action)
-    if not action_obj:
-        return {"error": f"Unknown action: {action}"}, 400
-
-    # Global actions (no resource_class) don't have a resource
-    if action_obj.resource_class is None:
-        resource_obj = None
-    elif action_obj.takes_parent and action_obj.takes_child:
-        # Child-level resource (e.g., TableResource, QueryResource)
-        resource_obj = action_obj.resource_class(database=parent, table=child)
-    elif action_obj.takes_parent:
-        # Parent-level resource (e.g., DatabaseResource)
-        resource_obj = action_obj.resource_class(database=parent)
-    else:
-        # This shouldn't happen given validation in Action.__post_init__
-        return {"error": f"Invalid action configuration: {action}"}, 500
-
-    allowed = await ds.allowed(action=action, resource=resource_obj, actor=actor)
-
-    response = {
-        "action": action,
-        "allowed": bool(allowed),
-        "resource": {
-            "parent": parent,
-            "child": child,
-            "path": _resource_path(parent, child),
-        },
-    }
-
-    if actor and "id" in actor:
-        response["actor_id"] = actor["id"]
-
-    return response, 200
-
-
-class PermissionCheckView(BaseView):
-    name = "permission_check"
-    has_json_alternate = False
-
-    async def get(self, request):
-        await self.ds.ensure_permission(action="permissions-debug", actor=request.actor)
-        as_format = request.url_vars.get("format")
-
-        if not as_format:
-            return await self.render(
-                ["debug_check.html"],
-                request,
-                {
-                    "sorted_actions": sorted(self.ds.actions.keys()),
-                    "has_debug_permission": True,
-                },
-            )
-
-        # JSON API - action parameter is required
-        action = request.args.get("action")
-        if not action:
-            return Response.json({"error": "action parameter is required"}, status=400)
-
-        parent = request.args.get("parent")
-        child = request.args.get("child")
-
-        response, status = await _check_permission_for_actor(
-            self.ds, action, parent, child, request.actor
-        )
-        return Response.json(response, status=status)
-
 
 class AllowDebugView(BaseView):
     name = "allow_debug"
@@ -585,9 +218,6 @@ class AllowDebugView(BaseView):
                 "error": "\n\n".join(errors) if errors else "",
                 "actor_input": actor_input,
                 "allow_input": allow_input,
-                "has_debug_permission": await self.ds.allowed(
-                    action="permissions-debug", actor=request.actor
-                ),
             },
         )
 
@@ -597,11 +227,11 @@ class MessagesDebugView(BaseView):
     has_json_alternate = False
 
     async def get(self, request):
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
         return await self.render(["messages_debug.html"], request)
 
     async def post(self, request):
-        await self.ds.ensure_permission(action="view-instance", actor=request.actor)
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
         post = await request.post_vars()
         message = post.get("message", "")
         message_type = post.get("message_type") or "INFO"
@@ -637,45 +267,45 @@ class CreateTokenView(BaseView):
     async def shared(self, request):
         self.check_permission(request)
         # Build list of databases and tables the user has permission to view
-        db_page = await self.ds.allowed_resources("view-database", request.actor)
-        allowed_databases = [r async for r in db_page.all()]
-
-        table_page = await self.ds.allowed_resources("view-table", request.actor)
-        allowed_tables = [r async for r in table_page.all()]
-
-        # Build database -> tables mapping
         database_with_tables = []
-        for db_resource in allowed_databases:
-            database_name = db_resource.parent
-            if database_name == "_memory":
+        for database in self.ds.databases.values():
+            if database.name == "_memory":
                 continue
-
-            # Find tables for this database
+            if not await self.ds.permission_allowed(
+                request.actor, "view-database", database.name
+            ):
+                continue
+            hidden_tables = await database.hidden_table_names()
             tables = []
-            for table_resource in allowed_tables:
-                if table_resource.parent == database_name:
-                    tables.append(
-                        {
-                            "name": table_resource.child,
-                            "encoded": tilde_encode(table_resource.child),
-                        }
-                    )
-
+            for table in await database.table_names():
+                if table in hidden_tables:
+                    continue
+                if not await self.ds.permission_allowed(
+                    request.actor,
+                    "view-table",
+                    resource=(database.name, table),
+                ):
+                    continue
+                tables.append({"name": table, "encoded": tilde_encode(table)})
             database_with_tables.append(
                 {
-                    "name": database_name,
-                    "encoded": tilde_encode(database_name),
+                    "name": database.name,
+                    "encoded": tilde_encode(database.name),
                     "tables": tables,
                 }
             )
         return {
             "actor": request.actor,
-            "all_actions": self.ds.actions.keys(),
-            "database_actions": [
-                key for key, value in self.ds.actions.items() if value.takes_parent
+            "all_permissions": self.ds.permissions.keys(),
+            "database_permissions": [
+                key
+                for key, value in self.ds.permissions.items()
+                if value.takes_database
             ],
-            "child_actions": [
-                key for key, value in self.ds.actions.items() if value.takes_child
+            "resource_permissions": [
+                key
+                for key, value in self.ds.permissions.items()
+                if value.takes_resource
             ],
             "database_with_tables": database_with_tables,
         }
@@ -761,10 +391,10 @@ class ApiExplorerView(BaseView):
     async def example_links(self, request):
         databases = []
         for name, db in self.ds.databases.items():
+            if name == "_internal":
+                continue
             database_visible, _ = await self.ds.check_visibility(
-                request.actor,
-                action="view-database",
-                resource=DatabaseResource(database=name),
+                request.actor, permissions=[("view-database", name), "view-instance"]
             )
             if not database_visible:
                 continue
@@ -773,8 +403,11 @@ class ApiExplorerView(BaseView):
             for table in table_names:
                 visible, _ = await self.ds.check_visibility(
                     request.actor,
-                    action="view-table",
-                    resource=TableResource(database=name, table=table),
+                    permissions=[
+                        ("view-table", (name, table)),
+                        ("view-database", name),
+                        "view-instance",
+                    ],
                 )
                 if not visible:
                     continue
@@ -791,10 +424,8 @@ class ApiExplorerView(BaseView):
                 if not db.is_mutable:
                     continue
 
-                if await self.ds.allowed(
-                    action="insert-row",
-                    resource=TableResource(database=name, table=table),
-                    actor=request.actor,
+                if await self.ds.permission_allowed(
+                    request.actor, "insert-row", (name, table)
                 ):
                     pks = await db.primary_keys(table)
                     table_links.extend(
@@ -829,10 +460,8 @@ class ApiExplorerView(BaseView):
                             },
                         ]
                     )
-                if await self.ds.allowed(
-                    action="drop-table",
-                    resource=TableResource(database=name, table=table),
-                    actor=request.actor,
+                if await self.ds.permission_allowed(
+                    request.actor, "drop-table", (name, table)
                 ):
                     table_links.append(
                         {
@@ -844,11 +473,7 @@ class ApiExplorerView(BaseView):
                     )
             database_links = []
             if (
-                await self.ds.allowed(
-                    action="create-table",
-                    resource=DatabaseResource(database=name),
-                    actor=request.actor,
-                )
+                await self.ds.permission_allowed(request.actor, "create-table", name)
                 and db.is_mutable
             ):
                 database_links.append(
@@ -881,7 +506,7 @@ class ApiExplorerView(BaseView):
     async def get(self, request):
         visible, private = await self.ds.check_visibility(
             request.actor,
-            action="view-instance",
+            permissions=["view-instance"],
         )
         if not visible:
             raise Forbidden("You do not have permission to view this instance")
@@ -906,253 +531,3 @@ class ApiExplorerView(BaseView):
                 "private": private,
             },
         )
-
-
-class TablesView(BaseView):
-    """
-    Simple endpoint that uses the new allowed_resources() API.
-    Returns JSON list of all tables the actor can view.
-
-    Supports ?q=foo+bar to filter tables matching .*foo.*bar.* pattern,
-    ordered by shortest name first.
-    """
-
-    name = "tables"
-    has_json_alternate = False
-
-    async def get(self, request):
-        # Get search query parameter
-        q = request.args.get("q", "").strip()
-
-        # Get SQL for allowed resources using the permission system
-        permission_sql, params = await self.ds.allowed_resources_sql(
-            action="view-table", actor=request.actor
-        )
-
-        # Build query based on whether we have a search query
-        if q:
-            # Build SQL LIKE pattern from search terms
-            # Split search terms by whitespace and build pattern: %term1%term2%term3%
-            terms = q.split()
-            pattern = "%" + "%".join(terms) + "%"
-
-            # Build query with CTE to filter by search pattern
-            sql = f"""
-            WITH allowed_tables AS (
-                {permission_sql}
-            )
-            SELECT parent, child
-            FROM allowed_tables
-            WHERE child LIKE :pattern COLLATE NOCASE
-            ORDER BY length(child), child
-            """
-            all_params = {**params, "pattern": pattern}
-        else:
-            # No search query - return all tables, ordered by name
-            # Fetch 101 to detect if we need to truncate
-            sql = f"""
-            WITH allowed_tables AS (
-                {permission_sql}
-            )
-            SELECT parent, child
-            FROM allowed_tables
-            ORDER BY parent, child
-            LIMIT 101
-            """
-            all_params = params
-
-        # Execute against internal database
-        result = await self.ds.get_internal_database().execute(sql, all_params)
-
-        # Build response with truncation
-        rows = list(result.rows)
-        truncated = len(rows) > 100
-        if truncated:
-            rows = rows[:100]
-
-        matches = [
-            {
-                "name": f"{row['parent']}: {row['child']}",
-                "url": self.ds.urls.table(row["parent"], row["child"]),
-            }
-            for row in rows
-        ]
-
-        return Response.json({"matches": matches, "truncated": truncated})
-
-
-class SchemaBaseView(BaseView):
-    """Base class for schema views with common response formatting."""
-
-    has_json_alternate = False
-
-    async def get_database_schema(self, database_name):
-        """Get schema SQL for a database."""
-        db = self.ds.databases[database_name]
-        result = await db.execute(
-            "select group_concat(sql, ';' || CHAR(10)) as schema from sqlite_master where sql is not null"
-        )
-        row = result.first()
-        return row["schema"] if row and row["schema"] else ""
-
-    def format_json_response(self, data):
-        """Format data as JSON response with CORS headers if needed."""
-        headers = {}
-        if self.ds.cors:
-            add_cors_headers(headers)
-        return Response.json(data, headers=headers)
-
-    def format_error_response(self, error_message, format_, status=404):
-        """Format error response based on requested format."""
-        if format_ == "json":
-            headers = {}
-            if self.ds.cors:
-                add_cors_headers(headers)
-            return Response.json(
-                {"ok": False, "error": error_message}, status=status, headers=headers
-            )
-        else:
-            return Response.text(error_message, status=status)
-
-    def format_markdown_response(self, heading, schema):
-        """Format schema as Markdown response."""
-        md_output = f"# {heading}\n\n```sql\n{schema}\n```\n"
-        return Response.text(
-            md_output, headers={"content-type": "text/markdown; charset=utf-8"}
-        )
-
-    async def format_html_response(
-        self, request, schemas, is_instance=False, table_name=None
-    ):
-        """Format schema as HTML response."""
-        context = {
-            "schemas": schemas,
-            "is_instance": is_instance,
-        }
-        if table_name:
-            context["table_name"] = table_name
-        return await self.render(["schema.html"], request=request, context=context)
-
-
-class InstanceSchemaView(SchemaBaseView):
-    """
-    Displays schema for all databases in the instance.
-    Supports HTML, JSON, and Markdown formats.
-    """
-
-    name = "instance_schema"
-
-    async def get(self, request):
-        format_ = request.url_vars.get("format") or "html"
-
-        # Get all databases the actor can view
-        allowed_databases_page = await self.ds.allowed_resources(
-            "view-database",
-            request.actor,
-        )
-        allowed_databases = [r.parent async for r in allowed_databases_page.all()]
-
-        # Get schema for each database
-        schemas = []
-        for database_name in allowed_databases:
-            schema = await self.get_database_schema(database_name)
-            schemas.append({"database": database_name, "schema": schema})
-
-        if format_ == "json":
-            return self.format_json_response({"schemas": schemas})
-        elif format_ == "md":
-            md_parts = [
-                f"# Schema for {item['database']}\n\n```sql\n{item['schema']}\n```"
-                for item in schemas
-            ]
-            return Response.text(
-                "\n\n".join(md_parts),
-                headers={"content-type": "text/markdown; charset=utf-8"},
-            )
-        else:
-            return await self.format_html_response(request, schemas, is_instance=True)
-
-
-class DatabaseSchemaView(SchemaBaseView):
-    """
-    Displays schema for a specific database.
-    Supports HTML, JSON, and Markdown formats.
-    """
-
-    name = "database_schema"
-
-    async def get(self, request):
-        database_name = request.url_vars["database"]
-        format_ = request.url_vars.get("format") or "html"
-
-        # Check if database exists
-        if database_name not in self.ds.databases:
-            return self.format_error_response("Database not found", format_)
-
-        # Check view-database permission
-        await self.ds.ensure_permission(
-            action="view-database",
-            resource=DatabaseResource(database=database_name),
-            actor=request.actor,
-        )
-
-        schema = await self.get_database_schema(database_name)
-
-        if format_ == "json":
-            return self.format_json_response(
-                {"database": database_name, "schema": schema}
-            )
-        elif format_ == "md":
-            return self.format_markdown_response(f"Schema for {database_name}", schema)
-        else:
-            schemas = [{"database": database_name, "schema": schema}]
-            return await self.format_html_response(request, schemas)
-
-
-class TableSchemaView(SchemaBaseView):
-    """
-    Displays schema for a specific table.
-    Supports HTML, JSON, and Markdown formats.
-    """
-
-    name = "table_schema"
-
-    async def get(self, request):
-        database_name = request.url_vars["database"]
-        table_name = request.url_vars["table"]
-        format_ = request.url_vars.get("format") or "html"
-
-        # Check view-table permission
-        await self.ds.ensure_permission(
-            action="view-table",
-            resource=TableResource(database=database_name, table=table_name),
-            actor=request.actor,
-        )
-
-        # Get schema for the table
-        db = self.ds.databases[database_name]
-        result = await db.execute(
-            "select sql from sqlite_master where name = ? and sql is not null",
-            [table_name],
-        )
-        row = result.first()
-
-        # Return 404 if table doesn't exist
-        if not row or not row["sql"]:
-            return self.format_error_response("Table not found", format_)
-
-        schema = row["sql"]
-
-        if format_ == "json":
-            return self.format_json_response(
-                {"database": database_name, "table": table_name, "schema": schema}
-            )
-        elif format_ == "md":
-            return self.format_markdown_response(
-                f"Schema for {database_name}.{table_name}", schema
-            )
-        else:
-            schemas = [{"database": database_name, "schema": schema}]
-            return await self.format_html_response(
-                request, schemas, table_name=table_name
-            )
diff --git a/datasette/views/table.py b/datasette/views/table.py
index 007c0c85..0a7e5265 100644
--- a/datasette/views/table.py
+++ b/datasette/views/table.py
@@ -15,7 +15,6 @@ from datasette.events import (
     UpsertRowsEvent,
 )
 from datasette import tracer
-from datasette.resources import DatabaseResource, TableResource
 from datasette.utils import (
     add_cors_headers,
     await_me_maybe,
@@ -166,6 +165,7 @@ async def display_columns_and_rows(
     column_details = {
         col.name: col for col in await db.table_column_details(table_name)
     }
+    table_config = await datasette.table_config(database_name, table_name)
     pks = await db.primary_keys(table_name)
     pks_for_display = pks
     if not pks_for_display:
@@ -449,15 +449,11 @@ class TableInsertView(BaseView):
         if upsert:
             # Must have insert-row AND upsert-row permissions
             if not (
-                await self.ds.allowed(
-                    action="insert-row",
-                    resource=TableResource(database=database_name, table=table_name),
-                    actor=request.actor,
+                await self.ds.permission_allowed(
+                    request.actor, "insert-row", resource=(database_name, table_name)
                 )
-                and await self.ds.allowed(
-                    action="update-row",
-                    resource=TableResource(database=database_name, table=table_name),
-                    actor=request.actor,
+                and await self.ds.permission_allowed(
+                    request.actor, "update-row", resource=(database_name, table_name)
                 )
             ):
                 return _error(
@@ -465,10 +461,8 @@ class TableInsertView(BaseView):
                 )
         else:
             # Must have insert-row permission
-            if not await self.ds.allowed(
-                action="insert-row",
-                resource=TableResource(database=database_name, table=table_name),
-                actor=request.actor,
+            if not await self.ds.permission_allowed(
+                request.actor, "insert-row", resource=(database_name, table_name)
             ):
                 return _error(["Permission denied"], 403)
 
@@ -497,20 +491,16 @@ class TableInsertView(BaseView):
         if upsert and (ignore or replace):
             return _error(["Upsert does not support ignore or replace"], 400)
 
-        if replace and not await self.ds.allowed(
-            action="update-row",
-            resource=TableResource(database=database_name, table=table_name),
-            actor=request.actor,
+        if replace and not await self.ds.permission_allowed(
+            request.actor, "update-row", resource=(database_name, table_name)
         ):
             return _error(['Permission denied: need update-row to use "replace"'], 403)
 
         initial_schema = None
         if alter:
             # Must have alter-table permission
-            if not await self.ds.allowed(
-                action="alter-table",
-                resource=TableResource(database=database_name, table=table_name),
-                actor=request.actor,
+            if not await self.ds.permission_allowed(
+                request.actor, "alter-table", resource=(database_name, table_name)
             ):
                 return _error(["Permission denied for alter-table"], 403)
             # Track initial schema to check if it changed later
@@ -637,10 +627,8 @@ class TableDropView(BaseView):
         db = self.ds.get_database(database_name)
         if not await db.table_exists(table_name):
             return _error(["Table not found: {}".format(table_name)], 404)
-        if not await self.ds.allowed(
-            action="drop-table",
-            resource=TableResource(database=database_name, table=table_name),
-            actor=request.actor,
+        if not await self.ds.permission_allowed(
+            request.actor, "drop-table", resource=(database_name, table_name)
         ):
             return _error(["Permission denied"], 403)
         if not db.is_mutable:
@@ -926,10 +914,8 @@ async def table_view_traced(datasette, request):
                         "true" if datasette.setting("allow_facet") else "false"
                     ),
                     is_sortable=any(c["sortable"] for c in data["display_columns"]),
-                    allow_execute_sql=await datasette.allowed(
-                        action="execute-sql",
-                        resource=DatabaseResource(database=resolved.db.name),
-                        actor=request.actor,
+                    allow_execute_sql=await datasette.permission_allowed(
+                        request.actor, "execute-sql", resolved.db.name
                     ),
                     query_ms=1.2,
                     select_templates=[
@@ -976,8 +962,11 @@ async def table_view_data(
     # Can this user view it?
     visible, private = await datasette.check_visibility(
         request.actor,
-        action="view-table",
-        resource=TableResource(database=database_name, table=table_name),
+        permissions=[
+            ("view-table", (database_name, table_name)),
+            ("view-database", database_name),
+            "view-instance",
+        ],
     )
     if not visible:
         raise Forbidden("You do not have permission to view this table")
diff --git a/docs/authentication.rst b/docs/authentication.rst
index 69a6f606..0343dc94 100644
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@@ -6,18 +6,18 @@
 
 Datasette doesn't require authentication by default. Any visitor to a Datasette instance can explore the full data and execute read-only SQL queries.
 
-Datasette can be configured to only allow authenticated users, or to control which databases, tables, and queries can be accessed by the public or by specific users. Datasette's plugin system can be used to add many different styles of authentication, such as user accounts, single sign-on or API keys.
+Datasette's plugin system can be used to add many different styles of authentication, such as user accounts, single sign-on or API keys.
 
 .. _authentication_actor:
 
 Actors
 ======
 
-Through plugins, Datasette can support both authenticated users (with cookies) and authenticated API clients (via authentication tokens). The word "actor" is used to cover both of these cases.
+Through plugins, Datasette can support both authenticated users (with cookies) and authenticated API agents (via authentication tokens). The word "actor" is used to cover both of these cases.
 
-Every request to Datasette has an associated actor value, available in the code as ``request.actor``. This can be ``None`` for unauthenticated requests, or a JSON compatible Python dictionary for authenticated users or API clients.
+Every request to Datasette has an associated actor value, available in the code as ``request.actor``. This can be ``None`` for unauthenticated requests, or a JSON compatible Python dictionary for authenticated users or API agents.
 
-The actor dictionary can be any shape - the design of that data structure is left up to the plugins. Actors should always include a unique ``"id"`` string, as demonstrated by the "root" actor below.
+The actor dictionary can be any shape - the design of that data structure is left up to the plugins. A useful convention is to include an ``"id"`` string, as demonstrated by the "root" actor below.
 
 Plugins can use the :ref:`plugin_hook_actor_from_request` hook to implement custom logic for authenticating an actor based on the incoming HTTP request.
 
@@ -28,25 +28,13 @@ Using the "root" actor
 
 Datasette currently leaves almost all forms of authentication to plugins - `datasette-auth-github `__ for example.
 
-The one exception is the "root" account, which you can sign into while using Datasette on your local machine. The root user has **all permissions** - they can perform any action regardless of other permission rules.
-
-The ``--root`` flag is designed for local development and testing. When you start Datasette with ``--root``, the root user automatically receives every permission, including:
-
-* All view permissions (``view-instance``, ``view-database``, ``view-table``, etc.)
-* All write permissions (``insert-row``, ``update-row``, ``delete-row``, ``create-table``, ``alter-table``, ``drop-table``)
-* Debug permissions (``permissions-debug``, ``debug-menu``)
-* Any custom permissions defined by plugins
-
-If you add explicit deny rules in ``datasette.yaml`` those can still block the
-root actor from specific databases or tables.
-
-The ``--root`` flag sets an internal ``root_enabled`` switch—without it, a signed-in user with ``{"id": "root"}`` is treated like any other actor.
+The one exception is the "root" account, which you can sign into while using Datasette on your local machine. This provides access to a small number of debugging features.
 
 To sign in as root, start Datasette using the ``--root`` command-line option, like this::
 
     datasette --root
 
-Datasette will output a single-use-only login URL on startup::
+::
 
     http://127.0.0.1:8001/-/auth-token?token=786fc524e0199d70dc9a581d851f466244e114ca92f33aa3b42a139e9388daa7
     INFO:     Started server process [25801]
@@ -54,7 +42,7 @@ Datasette will output a single-use-only login URL on startup::
     INFO:     Application startup complete.
     INFO:     Uvicorn running on http://127.0.0.1:8001 (Press CTRL+C to quit)
 
-Click on that link and then visit ``http://127.0.0.1:8001/-/actor`` to confirm that you are authenticated as an actor that looks like this:
+The URL on the first line includes a one-use token which can be used to sign in as the "root" actor in your browser. Click on that link and then visit ``http://127.0.0.1:8001/-/actor`` to confirm that you are authenticated as an actor that looks like this:
 
 .. code-block:: json
 
@@ -67,7 +55,7 @@ Click on that link and then visit ``http://127.0.0.1:8001/-/actor`` to confirm t
 Permissions
 ===========
 
-Datasette's permissions system is built around SQL queries. Datasette and its plugins construct SQL queries to resolve the list of resources that an actor cas access.
+Datasette has an extensive permissions system built-in, which can be further extended and customized by plugins.
 
 The key question the permissions system answers is this:
 
@@ -75,80 +63,37 @@ The key question the permissions system answers is this:
 
 **Actors** are :ref:`described above `.
 
-An **action** is a string describing the action the actor would like to perform. A full list is :ref:`provided below ` - examples include ``view-table`` and ``execute-sql``.
+An **action** is a string describing the action the actor would like to perform. A full list is :ref:`provided below ` - examples include ``view-table`` and ``execute-sql``.
 
 A **resource** is the item the actor wishes to interact with - for example a specific database or table. Some actions, such as ``permissions-debug``, are not associated with a particular resource.
 
-Datasette's built-in view actions (``view-database``, ``view-table`` etc) are allowed by Datasette's default configuration: unless you :ref:`configure additional permission rules ` unauthenticated users will be allowed to access content.
+Datasette's built-in view permissions (``view-database``, ``view-table`` etc) default to *allow* - unless you :ref:`configure additional permission rules ` unauthenticated users will be allowed to access content.
 
-Other actions, including those introduced by plugins, will default to *deny*.
-
-.. _authentication_default_deny:
-
-Denying all permissions by default
-----------------------------------
-
-By default, Datasette allows unauthenticated access to view databases, tables, and execute SQL queries.
-
-You may want to run Datasette in a mode where **all** access is denied by default, and you explicitly grant permissions only to authenticated users, either using the :ref:`--root mechanism ` or through :ref:`configuration file rules ` or plugins.
-
-Use the ``--default-deny`` command-line option to run Datasette in this mode::
-
-    datasette --default-deny data.db --root
-
-With ``--default-deny`` enabled:
-
-* Anonymous users are denied access to view the instance, databases, tables, and queries
-* Authenticated users are also denied access unless they're explicitly granted permissions
-* The root user (when using ``--root``) still has access to everything
-* You can grant permissions using :ref:`configuration file rules ` or plugins
-
-For example, to allow only a specific user to access your instance::
-
-    datasette --default-deny data.db --config datasette.yaml
-
-Where ``datasette.yaml`` contains:
-
-.. code-block:: yaml
-
-    allow:
-      id: alice
-
-This configuration will deny access to everyone except the user with ``id`` of ``alice``.
+Permissions with potentially harmful effects should default to *deny*. Plugin authors should account for this when designing new plugins - for example, the `datasette-upload-csvs `__ plugin defaults to deny so that installations don't accidentally allow unauthenticated users to create new tables by uploading a CSV file.
 
 .. _authentication_permissions_explained:
 
 How permissions are resolved
 ----------------------------
 
-Datasette performs permission checks using the internal :ref:`datasette_allowed`, method which accepts keyword arguments for ``action``, ``resource`` and an optional ``actor``. 
+The :ref:`datasette.permission_allowed(actor, action, resource=None, default=...)` method is called to check if an actor is allowed to perform a specific action.
 
-``resource`` should be an instance of the appropriate ``Resource`` subclass from :mod:`datasette.resources`—for example ``InstanceResource()``, ``DatabaseResource(database="...``)`` or ``TableResource(database="...", table="...")``. This defaults to ``InstanceResource()`` if not specified.
+This method asks every plugin that implements the :ref:`plugin_hook_permission_allowed` hook if the actor is allowed to perform the action.
 
-When a check runs Datasette gathers allow/deny rules from multiple sources and
-compiles them into a SQL query. The resulting query describes all of the
-resources an actor may access for that action, together with the reasons those
-resources were allowed or denied. The combined sources are:
+Each plugin can return ``True`` to indicate that the actor is allowed to perform the action, ``False`` if they are not allowed and ``None`` if the plugin has no opinion on the matter.
 
-* ``allow`` blocks configured in :ref:`datasette.yaml `.
-* :ref:`Actor restrictions ` encoded into the actor dictionary or API token.
-* The "root" user shortcut when ``--root`` (or :attr:`Datasette.root_enabled `) is active, replying ``True`` to all permission chucks unless configuration rules deny them at a more specific level.
-* Any additional SQL provided by plugins implementing :ref:`plugin_hook_permission_resources_sql`.
+``False`` acts as a veto - if any plugin returns ``False`` then the permission check is denied. Otherwise, if any plugin returns ``True`` then the permission check is allowed.
 
-Datasette evaluates the SQL to determine if the requested ``resource`` is
-included. Explicit deny rules returned by configuration or plugins will block
-access even if other rules allowed it.
+The ``resource`` argument can be used to specify a specific resource that the action is being performed against. Some permissions, such as ``view-instance``, do not involve a resource. Others such as ``view-database`` have a resource that is a string naming the database. Permissions that take both a database name and the name of a table, view or canned query within that database use a resource that is a tuple of two strings, ``(database_name, resource_name)``.
+
+Plugins that implement the ``permission_allowed()`` hook can decide if they are going to consider the provided resource or not.
 
 .. _authentication_permissions_allow:
 
 Defining permissions with "allow" blocks
 ----------------------------------------
 
-One way to define permissions in Datasette is to use an ``"allow"`` block :ref:`in the datasette.yaml file `. This is a JSON document describing which actors are allowed to perform an action against a specific resource.
-
-Each ``allow`` block is compiled into SQL and combined with any
-:ref:`plugin-provided rules ` to produce
-the cascading allow/deny decisions that power :ref:`datasette_allowed`.
+The standard way to define permissions in Datasette is to use an ``"allow"`` block :ref:`in the datasette.yaml file `. This is a JSON document describing which actors are allowed to perform a permission.
 
 The most basic form of allow block is this (`allow demo `__, `deny demo `__):
 
@@ -470,7 +415,7 @@ You can control the following:
 * Access to specific tables and views
 * Access to specific :ref:`canned_queries`
 
-If a user has permission to view a table they will be able to view that table, independent of if they have permission to view the database or instance that the table exists within.
+If a user cannot access a specific database, they will not be able to access tables, views or queries within that database. If a user cannot access the instance they will not be able to access any of the databases, tables, views or queries.
 
 .. _authentication_permissions_instance:
 
@@ -708,7 +653,7 @@ Controlling the ability to execute arbitrary SQL
 
 Datasette defaults to allowing any site visitor to execute their own custom SQL queries, for example using the form on `the database page `__ or by appending a ``?_where=`` parameter to the table page `like this `__.
 
-Access to this ability is controlled by the :ref:`actions_execute_sql` permission.
+Access to this ability is controlled by the :ref:`permissions_execute_sql` permission.
 
 The easiest way to disable arbitrary SQL queries is using the :ref:`default_allow_sql setting ` when you first start Datasette running.
 
@@ -1066,37 +1011,15 @@ This example outputs the following::
       }
     }
 
-Restrictions act as an allowlist layered on top of the actor's existing
-permissions. They can only remove access the actor would otherwise have—they
-cannot grant new access. If the underlying actor is denied by ``allow`` rules in
-``datasette.yaml`` or by a plugin, a token that lists that resource in its
-``"_r"`` section will still be denied.
-
 
 .. _permissions_plugins:
 
 Checking permissions in plugins
 ===============================
 
-Datasette plugins can check if an actor has permission to perform an action using :ref:`datasette_allowed`—for example::
+Datasette plugins can check if an actor has permission to perform an action using the :ref:`datasette.permission_allowed(...)` method.
 
-    from datasette.resources import TableResource
-
-    can_edit = await datasette.allowed(
-        action="update-row",
-        resource=TableResource(database="fixtures", table="facetable"),
-        actor=request.actor,
-    )
-
-Use :ref:`datasette_ensure_permission` when you need to enforce a permission and
-raise a ``Forbidden`` error automatically.
-
-Plugins that define new operations should return :class:`~datasette.permissions.Action`
-objects from :ref:`plugin_register_actions` and can supply additional allow/deny
-rules by returning :class:`~datasette.permissions.PermissionSQL` objects from the
-:ref:`plugin_hook_permission_resources_sql` hook. Those rules are merged with
-configuration ``allow`` blocks and actor restrictions to determine the final
-result for each check.
+Datasette core performs a number of permission checks, :ref:`documented below `. Plugins can implement the :ref:`plugin_hook_permission_allowed` plugin hook to participate in decisions about whether an actor should be able to perform a specified action.
 
 .. _authentication_actor_matches_allow:
 
@@ -1116,56 +1039,17 @@ The currently authenticated actor is made available to plugins as ``request.acto
 
 .. _PermissionsDebugView:
 
-Permissions debug tools
-=======================
+The permissions debug tool
+==========================
 
-The debug tool at ``/-/permissions`` is available to any actor with the ``permissions-debug`` permission. By default this is just the :ref:`authenticated root user ` but you can open it up to all users by starting Datasette like this::
+The debug tool at ``/-/permissions`` is only available to the :ref:`authenticated root user ` (or any actor granted the ``permissions-debug`` action).
 
-    datasette -s permissions.permissions-debug true data.db
-
-The page shows the permission checks that have been carried out by the Datasette instance.
+It shows the thirty most recent permission checks that have been carried out by the Datasette instance.
 
 It also provides an interface for running hypothetical permission checks against a hypothetical actor. This is a useful way of confirming that your configured permissions work in the way you expect.
 
 This is designed to help administrators and plugin authors understand exactly how permission checks are being carried out, in order to effectively configure Datasette's permission system.
 
-.. _AllowedResourcesView:
-
-Allowed resources view
-----------------------
-
-The ``/-/allowed`` endpoint displays resources that the current actor can access for a specified ``action``.
-
-This endpoint provides an interactive HTML form interface. Add ``.json`` to the URL path (e.g. ``/-/allowed.json``) to get the raw JSON response instead.
-
-Pass ``?action=view-table`` (or another action) to select the action. Optional ``parent=`` and ``child=`` query parameters can narrow the results to a specific database/table pair.
-
-This endpoint is publicly accessible to help users understand their own permissions. The potentially sensitive ``reason`` field is only shown to users with the ``permissions-debug`` permission - it shows the plugins and explanatory reasons that were responsible for each decision.
-
-.. _PermissionRulesView:
-
-Permission rules view
----------------------
-
-The ``/-/rules`` endpoint displays all permission rules (both allow and deny) for each candidate resource for the requested action.
-
-This endpoint provides an interactive HTML form interface. Add ``.json`` to the URL path (e.g. ``/-/rules.json?action=view-table``) to get the raw JSON response instead.
-
-Pass ``?action=`` as a query parameter to specify which action to check.
-
-This endpoint requires the ``permissions-debug`` permission.
-
-.. _PermissionCheckView:
-
-Permission check view
----------------------
-
-The ``/-/check`` endpoint evaluates a single action/resource pair and returns information indicating whether the access was allowed along with diagnostic information.
-
-This endpoint provides an interactive HTML form interface. Add ``.json`` to the URL path (e.g. ``/-/check.json?action=view-instance``) to get the raw JSON response instead.
-
-Pass ``?action=`` to specify the action to check, and optional ``?parent=`` and ``?child=`` parameters to specify the resource.
-
 .. _authentication_ds_actor:
 
 The ds_actor cookie
@@ -1231,156 +1115,168 @@ The /-/logout page
 
 The page at ``/-/logout`` provides the ability to log out of a ``ds_actor`` cookie authentication session.
 
-.. _actions:
+.. _permissions:
 
-Built-in actions
-================
+Built-in permissions
+====================
 
 This section lists all of the permission checks that are carried out by Datasette core, along with the ``resource`` if it was passed.
 
-.. _actions_view_instance:
+.. _permissions_view_instance:
 
 view-instance
 -------------
 
 Top level permission - Actor is allowed to view any pages within this instance, starting at https://latest.datasette.io/
 
-.. _actions_view_database:
+Default *allow*.
+
+.. _permissions_view_database:
 
 view-database
 -------------
 
 Actor is allowed to view a database page, e.g. https://latest.datasette.io/fixtures
 
-``resource`` - ``datasette.permissions.DatabaseResource(database)``
-    ``database`` is the name of the database (string)
+``resource`` - string
+    The name of the database
 
-.. _actions_view_database_download:
+Default *allow*.
+
+.. _permissions_view_database_download:
 
 view-database-download
-----------------------
+-----------------------
 
 Actor is allowed to download a database, e.g. https://latest.datasette.io/fixtures.db
 
-``resource`` - ``datasette.resources.DatabaseResource(database)``
-    ``database`` is the name of the database (string)
+``resource`` - string
+    The name of the database
 
-.. _actions_view_table:
+Default *allow*.
+
+.. _permissions_view_table:
 
 view-table
 ----------
 
 Actor is allowed to view a table (or view) page, e.g. https://latest.datasette.io/fixtures/complex_foreign_keys
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *allow*.
 
-.. _actions_view_query:
+.. _permissions_view_query:
 
 view-query
 ----------
 
 Actor is allowed to view (and execute) a :ref:`canned query ` page, e.g. https://latest.datasette.io/fixtures/pragma_cache_size - this includes executing :ref:`canned_queries_writable`.
 
-``resource`` - ``datasette.resources.QueryResource(database, query)``
-    ``database`` is the name of the database (string)
-    
-    ``query`` is the name of the canned query (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the canned query
 
-.. _actions_insert_row:
+Default *allow*.
+
+.. _permissions_insert_row:
 
 insert-row
 ----------
 
 Actor is allowed to insert rows into a table.
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *deny*.
 
-.. _actions_delete_row:
+.. _permissions_delete_row:
 
 delete-row
 ----------
 
 Actor is allowed to delete rows from a table.
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *deny*.
 
-.. _actions_update_row:
+.. _permissions_update_row:
 
 update-row
 ----------
 
 Actor is allowed to update rows in a table.
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *deny*.
 
-.. _actions_create_table:
+.. _permissions_create_table:
 
 create-table
 ------------
 
 Actor is allowed to create a database table.
 
-``resource`` - ``datasette.resources.DatabaseResource(database)``
-    ``database`` is the name of the database (string)
+``resource`` - string
+    The name of the database
 
-.. _actions_alter_table:
+Default *deny*.
+
+.. _permissions_alter_table:
 
 alter-table
 -----------
 
 Actor is allowed to alter a database table.
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *deny*.
 
-.. _actions_drop_table:
+.. _permissions_drop_table:
 
 drop-table
 ----------
 
 Actor is allowed to drop a database table.
 
-``resource`` - ``datasette.resources.TableResource(database, table)``
-    ``database`` is the name of the database (string)
+``resource`` - tuple: (string, string)
+    The name of the database, then the name of the table
 
-    ``table`` is the name of the table (string)
+Default *deny*.
 
-.. _actions_execute_sql:
+.. _permissions_execute_sql:
 
 execute-sql
 -----------
 
-Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures/-/query?sql=select+100
+Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures?sql=select+100
 
-``resource`` - ``datasette.resources.DatabaseResource(database)``
-    ``database`` is the name of the database (string)
+``resource`` - string
+    The name of the database
 
-See also :ref:`the default_allow_sql setting `.
+Default *allow*. See also :ref:`the default_allow_sql setting `.
 
-.. _actions_permissions_debug:
+.. _permissions_permissions_debug:
 
 permissions-debug
 -----------------
 
-Actor is allowed to view the ``/-/permissions`` debug tools.
+Actor is allowed to view the ``/-/permissions`` debug page.
 
-.. _actions_debug_menu:
+Default *deny*.
+
+.. _permissions_debug_menu:
 
 debug-menu
 ----------
 
 Controls if the various debug pages are displayed in the navigation menu.
+
+Default *deny*.
diff --git a/docs/changelog.rst b/docs/changelog.rst
index feba7e86..37bee290 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -4,93 +4,6 @@
 Changelog
 =========
 
-.. _v1_0_a23:
-
-1.0a23 (2025-12-02)
--------------------
-
-- Fix for bug where a stale database entry in ``internal.db`` could cause a 500 error on the homepage. (:issue:`2605`)
-- Cosmetic improvement to ``/-/actions`` page. (:issue:`2599`)
-
-.. _v1_0_a22:
-
-1.0a22 (2025-11-13)
--------------------
-
-- ``datasette serve --default-deny`` option for running Datasette configured to  :ref:`deny all permissions by default `. (:issue:`2592`)
-- ``datasette.is_client()`` method for detecting if code is :ref:`executing inside a datasette.client request `. (:issue:`2594`)
-- ``datasette.pm`` property can now be used to :ref:`register and unregister plugins in tests `. (:issue:`2595`)
-
-.. _v1_0_a21:
-
-1.0a21 (2025-11-05)
--------------------
-
-- Fixes an **open redirect** security issue: Datasette instances would redirect to ``example.com/foo/bar`` if you accessed the path ``//example.com/foo/bar``. Thanks to `James Jefferies `__ for the fix. (:issue:`2429`)
-- Fixed ``datasette publish cloudrun`` to work with changes to the underlying Cloud Run architecture. (:issue:`2511`)
-- New ``datasette --get /path --headers`` option for inspecting the headers returned by a path. (:issue:`2578`)
-- New ``datasette.client.get(..., skip_permission_checks=True)`` parameter to bypass permission checks when making requests using the internal client. (:issue:`2583`)
-
-.. _v0_65_2:
-
-0.65.2 (2025-11-05)
--------------------
-
-- Fixes an **open redirect** security issue: Datasette instances would redirect to ``example.com/foo/bar`` if you accessed the path ``//example.com/foo/bar``. Thanks to `James Jefferies `__ for the fix. (:issue:`2429`)
-- Upgraded for compatibility with Python 3.14.
-- Fixed ``datasette publish cloudrun`` to work with changes to the underlying Cloud Run architecture. (:issue:`2511`)
-- Minor upgrades to fix warnings, including ``pkg_resources`` deprecation.
-
-.. _v1_0_a20:
-
-1.0a20 (2025-11-03)
--------------------
-
-This alpha introduces a major breaking change prior to the 1.0 release of Datasette concerning how Datasette's permission system works.
-
-Permission system redesign
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Previously the permission system worked using ``datasette.permission_allowed()`` checks which consulted all available plugins in turn to determine whether a given actor was allowed to perform a given action on a given resource.
-
-This approach could become prohibitively expensive for large lists of items - for example to determine the list of tables that a user could view in a large Datasette instance each plugin implementation of that hook would be fired for every table.
-
-The new design uses SQL queries against Datasette's internal :ref:`catalog tables ` to derive the list of resources for which an actor has permission for a given action. This turns an N x M problem (N resources, M plugins) into a single SQL query.
-
-Plugins can use the new :ref:`plugin_hook_permission_resources_sql` hook to return SQL fragments which will be used as part of that query.
-
-Plugins that use any of the following features will need to be updated to work with this and following alphas (and Datasette 1.0 stable itself):
-
-- Checking permissions with ``datasette.permission_allowed()`` - this method has been replaced with :ref:`datasette.allowed() `.
-- Implementing the ``permission_allowed()`` plugin hook - this hook has been removed in favor of :ref:`permission_resources_sql() `.
-- Using ``register_permissions()`` to register permissions - this hook has been removed in favor of :ref:`register_actions() `.
-
-Consult the :ref:`v1.0a20 upgrade guide ` for further details on how to upgrade affected plugins.
-
-Plugins can now make use of two new internal methods to help resolve permission checks:
-
-- :ref:`datasette.allowed_resources() ` returns a ``PaginatedResources`` object with a ``.resources`` list of ``Resource`` instances that an actor is allowed to access for a given action (and a ``.next`` token for pagination).
-- :ref:`datasette.allowed_resources_sql() ` returns the SQL and parameters that can be executed against the internal catalog tables to determine which resources an actor is allowed to access for a given action. This can be combined with further SQL to perform advanced custom filtering.
-
-Related changes:
-
-- The way ``datasette --root`` works has changed. Running Datasette with this flag now causes the root actor to pass *all* permission checks. (:issue:`2521`)
-
-- Permission debugging improvements:
-
-  - The ``/-/allowed`` endpoint shows resources the user is allowed to interact with for different actions.
-  - ``/-/rules`` shows the raw allow/deny rules that apply to different permission checks.
-  - ``/-/actions`` lists every available action.
-  - ``/-/check`` can be used to try out different permission checks for the current actor.
-
-Other changes
-~~~~~~~~~~~~~
-
-- The internal ``catalog_views`` table now tracks SQLite views alongside tables in the introspection database. (:issue:`2495`)
-- Hitting the ``/`` brings up a search interface for navigating to tables that the current user can view. A new ``/-/tables`` endpoint supports this functionality. (:issue:`2523`)
-- Datasette attempts to detect some configuration errors on startup.
-- Datasette now supports Python 3.14 and no longer tests against Python 3.9.
-
 .. _v1_0_a19:
 
 1.0a19 (2025-04-21)
@@ -275,7 +188,7 @@ This alpha release adds basic alter table support to the Datasette Write API and
 Alter table support for create, insert, upsert and update
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The :ref:`JSON write API ` can now be used to apply simple alter table schema changes, provided the acting actor has the new :ref:`actions_alter_table` permission. (:issue:`2101`)
+The :ref:`JSON write API ` can now be used to apply simple alter table schema changes, provided the acting actor has the new :ref:`permissions_alter_table` permission. (:issue:`2101`)
 
 The only alter operation supported so far is adding new columns to an existing table.
 
@@ -290,12 +203,12 @@ Permissions fix for the upsert API
 
 The :ref:`/database/table/-/upsert API ` had a minor permissions bug, only affecting Datasette instances that had configured the ``insert-row`` and ``update-row`` permissions to apply to a specific table rather than the database or instance as a whole. Full details in issue :issue:`2262`.
 
-To avoid similar mistakes in the future the ``datasette.permission_allowed()`` method now specifies ``default=`` as a keyword-only argument.
+To avoid similar mistakes in the future the :ref:`datasette.permission_allowed() ` method now specifies ``default=`` as a keyword-only argument.
 
 Permission checks now consider opinions from every plugin
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The ``datasette.permission_allowed()`` method previously consulted every plugin that implemented the ``permission_allowed()`` plugin hook and obeyed the opinion of the last plugin to return a value. (:issue:`2275`)
+The :ref:`datasette.permission_allowed() ` method previously consulted every plugin that implemented the :ref:`permission_allowed() ` plugin hook and obeyed the opinion of the last plugin to return a value. (:issue:`2275`)
 
 Datasette now consults every plugin and checks to see if any of them returned ``False`` (the veto rule), and if none of them did, it then checks to see if any of them returned ``True``.
 
@@ -555,7 +468,7 @@ The third Datasette 1.0 alpha release adds upsert support to the JSON API, plus
 See `Datasette 1.0a2: Upserts and finely grained permissions `__ for an extended, annotated version of these release notes.
 
 - New ``/db/table/-/upsert`` API, :ref:`documented here `. upsert is an update-or-insert: existing rows will have specified keys updated, but if no row matches the incoming primary key a brand new row will be inserted instead. (:issue:`1878`)
-- New ``register_permissions()`` plugin hook. Plugins can now register named permissions, which will then be listed in various interfaces that show available permissions. (:issue:`1940`)
+- New :ref:`plugin_register_permissions` plugin hook. Plugins can now register named permissions, which will then be listed in various interfaces that show available permissions. (:issue:`1940`)
 - The ``/db/-/create`` API for :ref:`creating a table ` now accepts ``"ignore": true`` and ``"replace": true`` options when called with the ``"rows"`` property that creates a new table based on an example set of rows. This means the API can be called multiple times with different rows, setting rules for what should happen if a primary key collides with an existing row. (:issue:`1927`)
 - Arbitrary permissions can now be configured at the instance, database and resource (table, SQL view or canned query) level in Datasette's :ref:`metadata` JSON and YAML files. The new ``"permissions"`` key can be used to specify which actors should have which permissions. See :ref:`authentication_permissions_other` for details. (:issue:`1636`)
 - The ``/-/create-token`` page can now be used to create API tokens which are restricted to just a subset of actions, including against specific databases or resources. See :ref:`CreateTokenView` for details. (:issue:`1947`)
@@ -664,7 +577,7 @@ Documentation
 .. _v0_62:
 
 0.62 (2022-08-14)
------------------
+-------------------
 
 Datasette can now run entirely in your browser using WebAssembly. Try out `Datasette Lite `__, take a look `at the code `__ or read more about it in `Datasette Lite: a server-side Python web application running in a browser `__.
 
@@ -730,7 +643,7 @@ Datasette also now requires Python 3.7 or higher.
 - Datasette is now covered by a `Code of Conduct `__. (:issue:`1654`)
 - Python 3.6 is no longer supported. (:issue:`1577`)
 - Tests now run against Python 3.11-dev. (:issue:`1621`)
-- New ``datasette.ensure_permissions(actor, permissions)`` internal method for checking multiple permissions at once. (:issue:`1675`)
+- New :ref:`datasette.ensure_permissions(actor, permissions) ` internal method for checking multiple permissions at once. (:issue:`1675`)
 - New :ref:`datasette.check_visibility(actor, action, resource=None) ` internal method for checking if a user can see a resource that would otherwise be invisible to unauthenticated users. (:issue:`1678`)
 - Table and row HTML pages now include a ```` element and return a ``Link: URL; rel="alternate"; type="application/json+datasette"`` HTTP header pointing to the JSON version of those pages. (:issue:`1533`)
 - ``Access-Control-Expose-Headers: Link`` is now added to the CORS headers, allowing remote JavaScript to access that header.
@@ -1155,7 +1068,7 @@ Smaller changes
 ~~~~~~~~~~~~~~~
 
 - Wide tables shown within Datasette now scroll horizontally (:issue:`998`). This is achieved using a new ``
`` element which may impact the implementation of some plugins (for example `this change to datasette-cluster-map `__).
-- New :ref:`actions_debug_menu` permission. (:issue:`1068`)
+- New :ref:`permissions_debug_menu` permission. (:issue:`1068`)
 - Removed ``--debug`` option, which didn't do anything. (:issue:`814`)
 - ``Link:`` HTTP header pagination. (:issue:`1014`)
 - ``x`` button for clearing filters. (:issue:`1016`)
@@ -1414,7 +1327,7 @@ You can use the new ``"allow"`` block syntax in ``metadata.json`` (or ``metadata
 
 See :ref:`authentication_permissions_allow` for more details.
 
-Plugins can implement their own custom permission checks using the new ``plugin_hook_permission_allowed()`` plugin hook.
+Plugins can implement their own custom permission checks using the new :ref:`plugin_hook_permission_allowed` hook.
 
 A new debug page at ``/-/permissions`` shows recent permission checks, to help administrators and plugin authors understand exactly what checks are being performed. This tool defaults to only being available to the root user, but can be exposed to other users by plugins that respond to the ``permissions-debug`` permission. (:issue:`788`)
 
@@ -1490,7 +1403,7 @@ Smaller changes
 - New :ref:`datasette.get_database() ` method.
 - Added ``_`` prefix to many private, undocumented methods of the Datasette class. (:issue:`576`)
 - Removed the ``db.get_outbound_foreign_keys()`` method which duplicated the behaviour of ``db.foreign_keys_for_table()``.
-- New ``await datasette.permission_allowed()`` method.
+- New :ref:`await datasette.permission_allowed() ` method.
 - ``/-/actor`` debugging endpoint for viewing the currently authenticated actor.
 - New ``request.cookies`` property.
 - ``/-/plugins`` endpoint now shows a list of hooks implemented by each plugin, e.g. https://latest.datasette.io/-/plugins?all=1
diff --git a/docs/cli-reference.rst b/docs/cli-reference.rst
index 7ca88c4e..67e06254 100644
--- a/docs/cli-reference.rst
+++ b/docs/cli-reference.rst
@@ -119,10 +119,8 @@ Once started you can access it at ``http://localhost:8001``
                                       signed cookies
       --root                          Output URL that sets a cookie authenticating
                                       the root user
-      --default-deny                  Deny all permissions by default
       --get TEXT                      Run an HTTP GET request against this path,
                                       print results and exit
-      --headers                       Include HTTP headers in --get output
       --token TEXT                    API token to send with --get requests
       --actor TEXT                    Actor to use for --get requests (JSON string)
       --version-note TEXT             Additional note to show on /-/versions
@@ -490,15 +488,8 @@ See :ref:`publish_cloud_run`.
       --cpu [1|2|4]                   Number of vCPUs to allocate in Cloud Run
       --timeout INTEGER               Build timeout in seconds
       --apt-get-install TEXT          Additional packages to apt-get install
-      --max-instances INTEGER         Maximum Cloud Run instances (use 0 to remove
-                                      the limit)  [default: 1]
+      --max-instances INTEGER         Maximum Cloud Run instances
       --min-instances INTEGER         Minimum Cloud Run instances
-      --artifact-repository TEXT      Artifact Registry repository to store the
-                                      image  [default: datasette]
-      --artifact-region TEXT          Artifact Registry location (region or multi-
-                                      region)  [default: us]
-      --artifact-project TEXT         Project ID for Artifact Registry (defaults to
-                                      the active project)
       --help                          Show this message and exit.
 
 
diff --git a/docs/conf.py b/docs/conf.py
index 0879eeb9..e13882b2 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -36,19 +36,12 @@ extensions = [
     "sphinx.ext.extlinks",
     "sphinx.ext.autodoc",
     "sphinx_copybutton",
-    "myst_parser",
-    "sphinx_markdown_builder",
 ]
 if not os.environ.get("DISABLE_SPHINX_INLINE_TABS"):
     extensions += ["sphinx_inline_tabs"]
 
 autodoc_member_order = "bysource"
 
-myst_enable_extensions = ["colon_fence"]
-
-markdown_http_base = "https://docs.datasette.io/en/stable"
-markdown_uri_doc_suffix = ".html"
-
 extlinks = {
     "issue": ("https://github.com/simonw/datasette/issues/%s", "#%s"),
 }
@@ -60,10 +53,7 @@ templates_path = ["_templates"]
 # You can specify multiple suffix as a list of string:
 #
 # source_suffix = ['.rst', '.md']
-source_suffix = {
-    ".rst": "restructuredtext",
-    ".md": "markdown",
-}
+source_suffix = ".rst"
 
 # The master toctree document.
 master_doc = "index"
diff --git a/docs/contributing.rst b/docs/contributing.rst
index 6be0247c..c1268321 100644
--- a/docs/contributing.rst
+++ b/docs/contributing.rst
@@ -13,14 +13,13 @@ General guidelines
 * **main should always be releasable**. Incomplete features should live in branches. This ensures that any small bug fixes can be quickly released.
 * **The ideal commit** should bundle together the implementation, unit tests and associated documentation updates. The commit message should link to an associated issue.
 * **New plugin hooks** should only be shipped if accompanied by a separate release of a non-demo plugin that uses them.
-* **New user-facing views and documentation** should be added or updated alongside their implementation. The `/docs` folder includes pages for plugin hooks and built-in views—please ensure any new hooks or views are reflected there so the documentation tests continue to pass.
 
 .. _devenvironment:
 
 Setting up a development environment
 ------------------------------------
 
-If you have Python 3.10 or higher installed on your computer (on OS X the quickest way to do this `is using homebrew `__) you can install an editable copy of Datasette using the following steps.
+If you have Python 3.8 or higher installed on your computer (on OS X the quickest way to do this `is using homebrew `__) you can install an editable copy of Datasette using the following steps.
 
 If you want to use GitHub to publish your changes, first `create a fork of datasette `__ under your own GitHub account.
 
@@ -42,7 +41,7 @@ The next step is to create a virtual environment for your project and use it to
     # Install Datasette and its testing dependencies
     python3 -m pip install -e '.[test]'
 
-That last line does most of the work: ``pip install -e`` means "install this package in a way that allows me to edit the source code in place". The ``.[test]`` option means "install the optional testing dependencies as well".
+That last line does most of the work: ``pip install -e`` means "install this package in a way that allows me to edit the source code in place". The ``.[test]`` option means "use the setup.py in this directory and install the optional testing dependencies as well".
 
 .. _contributing_running_tests:
 
@@ -131,15 +130,6 @@ These formatters are enforced by Datasette's continuous integration: if a commit
 
 When developing locally, you can verify and correct the formatting of your code using these tools.
 
-If you are using `Just `__ the quickest way to run these is like so::
-
-    just black
-    just prettier
-
-Or run both at the same time::
-
-    just format
-
 .. _contributing_formatting_black:
 
 Running Black
@@ -160,7 +150,7 @@ If any of your code does not conform to Black you can run this to automatically
 
 ::
 
-    reformatted ../datasette/app.py
+    reformatted ../datasette/setup.py
     All done! ✨ 🍰 ✨
     1 file reformatted, 94 files left unchanged.
 
diff --git a/docs/deploying.rst b/docs/deploying.rst
index 95b4b52e..3754267d 100644
--- a/docs/deploying.rst
+++ b/docs/deploying.rst
@@ -79,7 +79,7 @@ Datasette will not be accessible from outside the server because it is listening
 .. _deploying_openrc:
 
 Running Datasette using OpenRC
-==============================
+===============================
 OpenRC is the service manager on non-systemd Linux distributions like `Alpine Linux `__ and `Gentoo `__.
 
 Create an init script at ``/etc/init.d/datasette`` with the following contents:
diff --git a/docs/events.md b/docs/events.rst
similarity index 74%
rename from docs/events.md
rename to docs/events.rst
index 399317e9..b86c8025 100644
--- a/docs/events.md
+++ b/docs/events.rst
@@ -1,14 +1,14 @@
-(events)=
-# Events
+.. _events:
+
+Events
+======
 
 Datasette includes a mechanism for tracking events that occur while the software is running. This is primarily intended to be used by plugins, which can both trigger events and listen for events.
 
 The core Datasette application triggers events when certain things happen. This page describes those events.
 
-Plugins can listen for events using the {ref}`plugin_hook_track_event` plugin hook, which will be called with instances of the following classes - or additional classes {ref}`registered by other plugins `.
+Plugins can listen for events using the :ref:`plugin_hook_track_event` plugin hook, which will be called with instances of the following classes - or additional classes :ref:`registered by other plugins `.
 
-```{eval-rst}
 .. automodule:: datasette.events
     :members:
     :exclude-members: Event
-```
diff --git a/docs/installation.rst b/docs/installation.rst
index 33d3d6a1..e272241b 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -54,7 +54,7 @@ If the latest packaged release of Datasette has not yet been made available thro
 Using pip
 ---------
 
-Datasette requires Python 3.10 or higher. The `Python.org Python For Beginners `__ page has instructions for getting started.
+Datasette requires Python 3.8 or higher. The `Python.org Python For Beginners `__ page has instructions for getting started.
 
 You can install Datasette and its dependencies using ``pip``::
 
diff --git a/docs/internals.rst b/docs/internals.rst
index cfd78593..8575ac14 100644
--- a/docs/internals.rst
+++ b/docs/internals.rst
@@ -272,14 +272,14 @@ The dictionary keys are the name of the database that is used in the URL - e.g.
 
 All databases are listed, irrespective of user permissions.
 
-.. _datasette_actions:
+.. _datasette_permissions:
 
-.actions
---------
+.permissions
+------------
 
-Property exposing a dictionary of actions that have been registered using the :ref:`plugin_register_actions` plugin hook.
+Property exposing a dictionary of permissions that have been registered using the :ref:`plugin_register_permissions` plugin hook.
 
-The dictionary keys are the action names - e.g. ``view-instance`` - and the values are ``Action()`` objects describing the permission.
+The dictionary keys are the permission names - e.g. ``view-instance`` - and the values are ``Permission()`` objects describing the permission. Here is a :ref:`description of that object `.
 
 .. _datasette_plugin_config:
 
@@ -342,182 +342,10 @@ If no plugins that implement that hook are installed, the default return value l
         "2": {"id": "2"}
     }
 
-.. _datasette_allowed:
+.. _datasette_permission_allowed:
 
-await .allowed(\*, action, resource, actor=None)
-------------------------------------------------
-
-``action`` - string
-    The name of the action that is being permission checked.
-
-``resource`` - Resource object
-    A Resource object representing the database, table, or other resource. Must be an instance of a Resource class such as ``TableResource``, ``DatabaseResource``, ``QueryResource``, or ``InstanceResource``.
-
-``actor`` - dictionary, optional
-    The authenticated actor. This is usually ``request.actor``. Defaults to ``None`` for unauthenticated requests.
-
-This method checks if the given actor has permission to perform the given action on the given resource. All parameters must be passed as keyword arguments.
-
-Example usage:
-
-.. code-block:: python
-
-    from datasette.resources import (
-        TableResource,
-        DatabaseResource,
-    )
-
-    # Check if actor can view a specific table
-    can_view = await datasette.allowed(
-        action="view-table",
-        resource=TableResource(
-            database="fixtures", table="facetable"
-        ),
-        actor=request.actor,
-    )
-
-    # Check if actor can execute SQL on a database
-    can_execute = await datasette.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="fixtures"),
-        actor=request.actor,
-    )
-
-The method returns ``True`` if the permission is granted, ``False`` if denied.
-
-.. _datasette_allowed_resources:
-
-await .allowed_resources(action, actor=None, \*, parent=None, include_is_private=False, include_reasons=False, limit=100, next=None)
-------------------------------------------------------------------------------------------------------------------------------------
-
-Returns a ``PaginatedResources`` object containing resources that the actor can access for the specified action, with support for keyset pagination.
-
-``action`` - string
-    The action name (e.g., "view-table", "view-database")
-
-``actor`` - dictionary, optional
-    The authenticated actor. Defaults to ``None`` for unauthenticated requests.
-
-``parent`` - string, optional
-    Optional parent filter (e.g., database name) to limit results
-
-``include_is_private`` - boolean, optional
-    If True, adds a ``.private`` attribute to each Resource indicating whether anonymous users can access it
-
-``include_reasons`` - boolean, optional
-    If True, adds a ``.reasons`` attribute with a list of strings describing why access was granted (useful for debugging)
-
-``limit`` - integer, optional
-    Maximum number of results to return per page (1-1000, default 100)
-
-``next`` - string, optional
-    Keyset token from a previous page for pagination
-
-The method returns a ``PaginatedResources`` object (from ``datasette.utils``) with the following attributes:
-
-``resources`` - list
-    List of ``Resource`` objects for the current page
-
-``next`` - string or None
-    Token for the next page, or ``None`` if no more results exist
-
-Example usage:
-
-.. code-block:: python
-
-    # Get first page of tables
-    page = await datasette.allowed_resources(
-        "view-table",
-        actor=request.actor,
-        parent="fixtures",
-        limit=50,
-    )
-
-    for table in page.resources:
-        print(table.parent, table.child)
-        if hasattr(table, "private"):
-            print(f"  Private: {table.private}")
-
-    # Get next page if available
-    if page.next:
-        next_page = await datasette.allowed_resources(
-            "view-table", actor=request.actor, next=page.next
-        )
-
-    # Iterate through all results automatically
-    page = await datasette.allowed_resources(
-        "view-table", actor=request.actor
-    )
-    async for table in page.all():
-        print(table.parent, table.child)
-
-    # With reasons for debugging
-    page = await datasette.allowed_resources(
-        "view-table", actor=request.actor, include_reasons=True
-    )
-    for table in page.resources:
-        print(f"{table.child}: {table.reasons}")
-
-The ``page.all()`` async generator automatically handles pagination, fetching additional pages and yielding all resources one at a time.
-
-This method uses :ref:`datasette_allowed_resources_sql` under the hood and is an efficient way to list the databases, tables or other resources that an actor can access for a specific action.
-
-.. _datasette_allowed_resources_sql:
-
-await .allowed_resources_sql(\*, action, actor=None, parent=None, include_is_private=False)
--------------------------------------------------------------------------------------------
-
-Builds the SQL query that Datasette uses to determine which resources an actor may access for a specific action. Returns a ``(sql: str, params: dict)`` namedtuple that can be executed against the internal ``catalog_*`` database tables. ``parent`` can be used to limit results to a specific database, and ``include_is_private`` adds a column indicating whether anonymous users would be denied access to that resource.
-
-Plugins that need to execute custom analysis over the raw allow/deny rules can use this helper to run the same query that powers the ``/-/allowed`` debugging interface.
-
-The SQL query built by this method will return the following columns:
-
-- ``parent``: The parent resource identifier (or NULL)
-- ``child``: The child resource identifier (or NULL)
-- ``reason``: The reason from the rule that granted access
-- ``is_private``: (if ``include_is_private``) 1 if anonymous users cannot access, 0 otherwise
-
-.. _datasette_ensure_permission:
-
-await .ensure_permission(action, resource=None, actor=None)
------------------------------------------------------------
-
-``action`` - string
-    The action to check. See :ref:`actions` for a list of available actions.
-
-``resource`` - Resource object (optional)
-    The resource to check the permission against. Must be an instance of ``InstanceResource``, ``DatabaseResource``, or ``TableResource`` from the ``datasette.resources`` module. If omitted, defaults to ``InstanceResource()`` for instance-level permissions.
-
-``actor`` - dictionary (optional)
-    The authenticated actor. This is usually ``request.actor``.
-
-This is a convenience wrapper around :ref:`datasette_allowed` that raises a ``datasette.Forbidden`` exception if the permission check fails. Use this when you want to enforce a permission check and halt execution if the actor is not authorized.
-
-Example:
-
-.. code-block:: python
-
-    from datasette.resources import TableResource
-
-    # Will raise Forbidden if actor cannot view the table
-    await datasette.ensure_permission(
-        action="view-table",
-        resource=TableResource(
-            database="fixtures", table="cities"
-        ),
-        actor=request.actor,
-    )
-
-    # For instance-level actions, resource can be omitted:
-    await datasette.ensure_permission(
-        action="permissions-debug", actor=request.actor
-    )
-
-.. _datasette_check_visibility:
-
-await .check_visibility(actor, action, resource=None)
------------------------------------------------------
+await .permission_allowed(actor, action, resource=None, default=...)
+--------------------------------------------------------------------
 
 ``actor`` - dictionary
     The authenticated actor. This is usually ``request.actor``.
@@ -525,8 +353,64 @@ await .check_visibility(actor, action, resource=None)
 ``action`` - string
     The name of the action that is being permission checked.
 
-``resource`` - Resource object, optional
-    The resource being checked, as a Resource object such as ``DatabaseResource(database=...)``, ``TableResource(database=..., table=...)``, or ``QueryResource(database=..., query=...)``. Only some permissions apply to a resource.
+``resource`` - string or tuple, optional
+    The resource, e.g. the name of the database, or a tuple of two strings containing the name of the database and the name of the table. Only some permissions apply to a resource.
+
+``default`` - optional: True, False or None
+    What value should be returned by default if nothing provides an opinion on this permission check.
+    Set to ``True`` for default allow or ``False`` for default deny.
+    If not specified the ``default`` from the ``Permission()`` tuple that was registered using :ref:`plugin_register_permissions` will be used.
+
+Check if the given actor has :ref:`permission ` to perform the given action on the given resource.
+
+Some permission checks are carried out against :ref:`rules defined in datasette.yaml `, while other custom permissions may be decided by plugins that implement the :ref:`plugin_hook_permission_allowed` plugin hook.
+
+If neither ``metadata.json`` nor any of the plugins provide an answer to the permission query the ``default`` argument will be returned.
+
+See :ref:`permissions` for a full list of permission actions included in Datasette core.
+
+.. _datasette_ensure_permissions:
+
+await .ensure_permissions(actor, permissions)
+---------------------------------------------
+
+``actor`` - dictionary
+    The authenticated actor. This is usually ``request.actor``.
+
+``permissions`` - list
+    A list of permissions to check. Each permission in that list can be a string ``action`` name or a 2-tuple of ``(action, resource)``.
+
+This method allows multiple permissions to be checked at once. It raises a ``datasette.Forbidden`` exception if any of the checks are denied before one of them is explicitly granted.
+
+This is useful when you need to check multiple permissions at once. For example, an actor should be able to view a table if either one of the following checks returns ``True`` or not a single one of them returns ``False``:
+
+.. code-block:: python
+
+    await datasette.ensure_permissions(
+        request.actor,
+        [
+            ("view-table", (database, table)),
+            ("view-database", database),
+            "view-instance",
+        ],
+    )
+
+.. _datasette_check_visibility:
+
+await .check_visibility(actor, action=None, resource=None, permissions=None)
+----------------------------------------------------------------------------
+
+``actor`` - dictionary
+    The authenticated actor. This is usually ``request.actor``.
+
+``action`` - string, optional
+    The name of the action that is being permission checked.
+
+``resource`` - string or tuple, optional
+    The resource, e.g. the name of the database, or a tuple of two strings containing the name of the database and the name of the table. Only some permissions apply to a resource.
+
+``permissions`` - list of ``action`` strings or ``(action, resource)`` tuples, optional
+    Provide this instead of ``action`` and ``resource`` to check multiple permissions at once.
 
 This convenience method can be used to answer the question "should this item be considered private, in that it is visible to me but it is not visible to anonymous users?"
 
@@ -536,12 +420,23 @@ This example checks if the user can access a specific table, and sets ``private`
 
 .. code-block:: python
 
-    from datasette.resources import TableResource
-
     visible, private = await datasette.check_visibility(
         request.actor,
         action="view-table",
-        resource=TableResource(database=database, table=table),
+        resource=(database, table),
+    )
+
+The following example runs three checks in a row, similar to :ref:`datasette_ensure_permissions`. If any of the checks are denied before one of them is explicitly granted then ``visible`` will be ``False``. ``private`` will be ``True`` if an anonymous user would not be able to view the resource.
+
+.. code-block:: python
+
+    visible, private = await datasette.check_visibility(
+        request.actor,
+        permissions=[
+            ("view-table", (database, table)),
+            ("view-database", database),
+            "view-instance",
+        ],
     )
 
 .. _datasette_create_token:
@@ -594,6 +489,16 @@ The following example creates a token that can access ``view-instance`` and ``vi
         },
     )
 
+.. _datasette_get_permission:
+
+.get_permission(name_or_abbr)
+-----------------------------
+
+``name_or_abbr`` - string
+    The name or abbreviation of the permission to look up, e.g. ``view-table`` or ``vt``.
+
+Returns a :ref:`Permission object ` representing the permission, or raises a ``KeyError`` if one is not found.
+
 .. _datasette_get_database:
 
 .get_database(name)
@@ -781,8 +686,8 @@ Use ``is_mutable=False`` to add an immutable database.
 
 .. _datasette_add_memory_database:
 
-.add_memory_database(memory_name, name=None, route=None)
---------------------------------------------------------
+.add_memory_database(name)
+--------------------------
 
 Adds a shared in-memory database with the specified name:
 
@@ -800,9 +705,7 @@ This is a shortcut for the following:
         Database(datasette, memory_name="statistics")
     )
 
-Using either of these patterns will result in the in-memory database being served at ``/statistics``.
-
-The ``name`` and ``route`` parameters are optional and work the same way as they do for :ref:`datasette_add_database`.
+Using either of these pattern will result in the in-memory database being served at ``/statistics``.
 
 .. _datasette_remove_database:
 
@@ -1047,60 +950,6 @@ These methods can be used with :ref:`internals_datasette_urls` - for example:
 
 For documentation on available ``**kwargs`` options and the shape of the HTTPX Response object refer to the `HTTPX Async documentation `__.
 
-Bypassing permission checks
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-All ``datasette.client`` methods accept an optional ``skip_permission_checks=True`` parameter. When set, all permission checks will be bypassed for that request, allowing access to any resource regardless of the configured permissions.
-
-This is useful for plugins and internal operations that need to access all resources without being subject to permission restrictions.
-
-Example usage:
-
-.. code-block:: python
-
-    # Regular request - respects permissions
-    response = await datasette.client.get(
-        "/private-db/secret-table.json"
-    )
-    # May return 403 Forbidden if access is denied
-
-    # With skip_permission_checks - bypasses all permission checks
-    response = await datasette.client.get(
-        "/private-db/secret-table.json",
-        skip_permission_checks=True,
-    )
-    # Will return 200 OK and the data, regardless of permissions
-
-This parameter works with all HTTP methods (``get``, ``post``, ``put``, ``patch``, ``delete``, ``options``, ``head``) and the generic ``request`` method.
-
-.. warning::
-
-    Use ``skip_permission_checks=True`` with caution. It completely bypasses Datasette's permission system and should only be used in trusted plugin code or internal operations where you need guaranteed access to resources.
-
-.. _internals_datasette_is_client:
-
-Detecting internal client requests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-``datasette.in_client()`` - returns bool
-    Returns ``True`` if the current code is executing within a ``datasette.client`` request, ``False`` otherwise.
-
-This method is useful for plugins that need to behave differently when called through ``datasette.client`` versus when handling external HTTP requests.
-
-Example usage:
-
-.. code-block:: python
-
-    async def fetch_documents(datasette):
-        if not datasette.in_client():
-            return Response.text(
-                "Only available via internal client requests",
-                status=403,
-            )
-        ...
-
-Note that ``datasette.in_client()`` is independent of ``skip_permission_checks``. A request made through ``datasette.client`` will always have ``in_client()`` return ``True``, regardless of whether ``skip_permission_checks`` is set.
-
 .. _internals_datasette_urls:
 
 datasette.urls
@@ -1152,132 +1001,6 @@ Use the ``format="json"`` (or ``"csv"`` or other formats supported by plugins) a
 
 These methods each return a ``datasette.utils.PrefixedUrlString`` object, which is a subclass of the Python ``str`` type. This allows the logic that considers the ``base_url`` setting to detect if that prefix has already been applied to the path.
 
-.. _internals_permission_classes:
-
-Permission classes and utilities
-================================
-
-.. _internals_permission_sql:
-
-PermissionSQL class
--------------------
-
-The ``PermissionSQL`` class is used by plugins to contribute SQL-based permission rules through the :ref:`plugin_hook_permission_resources_sql` hook. This enables efficient permission checking across multiple resources by leveraging SQLite's query engine.
-
-.. code-block:: python
-
-    from datasette.permissions import PermissionSQL
-
-
-    @dataclass
-    class PermissionSQL:
-        source: str  # Plugin name for auditing
-        sql: str  # SQL query returning permission rules
-        params: Dict[str, Any]  # Parameters for the SQL query
-
-**Attributes:**
-
-``source`` - string
-    An identifier for the source of these permission rules, typically the plugin name. This is used for debugging and auditing.
-
-``sql`` - string
-    A SQL query that returns permission rules. The query must return rows with the following columns:
-
-    - ``parent`` (TEXT or NULL) - The parent resource identifier (e.g., database name)
-    - ``child`` (TEXT or NULL) - The child resource identifier (e.g., table name)
-    - ``allow`` (INTEGER) - 1 for allow, 0 for deny
-    - ``reason`` (TEXT) - A human-readable explanation of why this permission was granted or denied
-
-``params`` - dictionary
-    A dictionary of parameters to bind into the SQL query. Parameter names should not include the ``:`` prefix.
-
-.. _permission_sql_parameters:
-
-Available SQL parameters
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-When writing SQL for ``PermissionSQL``, the following parameters are automatically available:
-
-``:actor`` - JSON string or NULL
-    The full actor dictionary serialized as JSON. Use SQLite's ``json_extract()`` function to access fields:
-
-    .. code-block:: sql
-
-        json_extract(:actor, '$.role') = 'admin'
-        json_extract(:actor, '$.team') = 'engineering'
-
-``:actor_id`` - string or NULL
-    The actor's ``id`` field, for simple equality comparisons:
-
-    .. code-block:: sql
-
-        :actor_id = 'alice'
-
-``:action`` - string
-    The action being checked (e.g., ``"view-table"``, ``"insert-row"``, ``"execute-sql"``).
-
-**Example usage:**
-
-Here's an example plugin that grants view-table permissions to users with an "analyst" role for tables in the "analytics" database:
-
-.. code-block:: python
-
-    from datasette import hookimpl
-    from datasette.permissions import PermissionSQL
-
-
-    @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if action != "view-table":
-            return None
-
-        return PermissionSQL(
-            source="my_analytics_plugin",
-            sql="""
-                SELECT 'analytics' AS parent,
-                       NULL AS child,
-                       1 AS allow,
-                       'Analysts can view analytics database' AS reason
-                WHERE json_extract(:actor, '$.role') = 'analyst'
-                  AND :action = 'view-table'
-            """,
-            params={},
-        )
-
-A more complex example that uses custom parameters:
-
-.. code-block:: python
-
-    @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if not actor:
-            return None
-
-        user_teams = actor.get("teams", [])
-
-        return PermissionSQL(
-            source="team_permissions_plugin",
-            sql="""
-                SELECT
-                    team_database AS parent,
-                    team_table AS child,
-                    1 AS allow,
-                    'User is member of team: ' || team_name AS reason
-                FROM team_permissions
-                WHERE user_id = :user_id
-                  AND :action IN ('view-table', 'insert-row', 'update-row')
-            """,
-            params={"user_id": actor.get("id")},
-        )
-
-**Permission resolution rules:**
-
-When multiple ``PermissionSQL`` objects return conflicting rules for the same resource, Datasette applies the following precedence:
-
-1. **Specificity**: Child-level rules (with both ``parent`` and ``child``) override parent-level rules (with only ``parent``), which override root-level rules (with neither ``parent`` nor ``child``)
-2. **Deny over allow**: At the same specificity level, deny (``allow=0``) takes precedence over allow (``allow=1``)
-3. **Implicit deny**: If no rules match a resource, access is denied by default
-
 .. _internals_database:
 
 Database class
@@ -1404,7 +1127,7 @@ Example usage:
 .. _database_execute_write:
 
 await db.execute_write(sql, params=None, block=True)
-----------------------------------------------------
+-----------------------------------------------------
 
 SQLite only allows one database connection to write at a time. Datasette handles this for you by maintaining a queue of writes to be executed against a given database. Plugins can submit write operations to this queue and they will be executed in the order in which they are received.
 
@@ -1421,7 +1144,7 @@ Each call to ``execute_write()`` will be executed inside a transaction.
 .. _database_execute_write_script:
 
 await db.execute_write_script(sql, block=True)
-----------------------------------------------
+-----------------------------------------------
 
 Like ``execute_write()`` but can be used to send multiple SQL statements in a single string separated by semicolons, using the ``sqlite3`` `conn.executescript() `__ method.
 
@@ -1430,7 +1153,7 @@ Each call to ``execute_write_script()`` will be executed inside a transaction.
 .. _database_execute_write_many:
 
 await db.execute_write_many(sql, params_seq, block=True)
---------------------------------------------------------
+---------------------------------------------------------
 
 Like ``execute_write()`` but uses the ``sqlite3`` `conn.executemany() `__ method. This will efficiently execute the same SQL statement against each of the parameters in the ``params_seq`` iterator, for example:
 
diff --git a/docs/introspection.rst b/docs/introspection.rst
index 19c6bffb..ff78ec78 100644
--- a/docs/introspection.rst
+++ b/docs/introspection.rst
@@ -144,47 +144,6 @@ Shows currently attached databases. `Databases example `_:
-
-.. code-block:: json
-
-    {
-        "matches": [
-            {
-                "name": "fixtures/facetable",
-                "url": "/fixtures/facetable"
-            },
-            {
-                "name": "fixtures/searchable",
-                "url": "/fixtures/searchable"
-            }
-        ]
-    }
-
-Search example with ``?q=facet`` returns only tables matching ``.*facet.*``:
-
-.. code-block:: json
-
-    {
-        "matches": [
-            {
-                "name": "fixtures/facetable",
-                "url": "/fixtures/facetable"
-            }
-        ]
-    }
-
-When multiple search terms are provided (e.g., ``?q=user+profile``), tables must match the pattern ``.*user.*profile.*``. Results are ordered by shortest table name first.
-
 .. _JsonDataView_threads:
 
 /-/threads
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 91a2bb15..42f10d74 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -347,7 +347,7 @@ Special table arguments
     though this could potentially result in errors if the wrong syntax is used.
 
 ``?_where=SQL-fragment``
-    If the :ref:`actions_execute_sql` permission is enabled, this parameter
+    If the :ref:`permissions_execute_sql` permission is enabled, this parameter
     can be used to pass one or more additional SQL fragments to be used in the
     `WHERE` clause of the SQL used to query the table.
 
@@ -405,6 +405,94 @@ Special table arguments
 ``?_nocount=1``
     Disable the ``select count(*)`` query used on this page - a count of ``None`` will be returned instead.
 
+Table extras
+~~~~~~~~~~~~
+
+JSON responses for table pages can include additional keys that are omitted by default. Pass one or more ``?_extra=NAME``
+parameters (either repeating the argument or providing a comma-separated list) to opt in to the data that you need. The
+following extras are available:
+
+``?_extra=count``
+    Returns the total number of rows that match the current filters, or ``null`` if the calculation times out or is
+    otherwise unavailable. ``count`` may be served from cached introspection data for immutable databases when
+    possible.【F:datasette/views/table.py†L1284-L1311】
+
+``?_extra=count_sql``
+    Returns the SQL that Datasette will execute in order to calculate the total row count.【F:datasette/views/table.py†L1284-L1290】
+
+``?_extra=facet_results``
+    Includes the full set of facet results calculated for the table view. The returned object has a ``results`` mapping
+    of facet definitions to their buckets and a ``timed_out`` list describing any facets that hit the time limit.【F:datasette/views/table.py†L1316-L1365】
+
+``?_extra=facets_timed_out``
+    Adds just the list of facets that timed out while executing, without the full facet payload.【F:datasette/views/table.py†L1592-L1617】
+
+``?_extra=suggested_facets``
+    Returns suggestions for additional facets to apply, each with a ``name`` and ``toggle_url`` that can be used to
+    activate that facet.【F:datasette/views/table.py†L1367-L1386】
+
+``?_extra=human_description_en``
+    Adds a human-readable sentence describing the current filters and sort order.【F:datasette/views/table.py†L1388-L1403】
+
+``?_extra=next_url``
+    Includes an absolute URL for the next page of results, or ``null`` if there is no next page.【F:datasette/views/table.py†L1404-L1406】
+
+``?_extra=columns``
+    Restores the ``columns`` list to the JSON output. Datasette removes this list by default to avoid duplicating
+    information unless it is explicitly requested using this extra.【F:datasette/renderer.py†L110-L123】
+
+``?_extra=primary_keys``
+    Adds the list of primary key columns for the table.【F:datasette/views/table.py†L1408-L1414】
+
+``?_extra=query``
+    Returns the SQL query and parameters used to produce the current page of results.【F:datasette/views/table.py†L1484-L1490】
+
+``?_extra=metadata``
+    Includes metadata for the table and its columns, combining values from configuration and the ``metadata_columns``
+    table.【F:datasette/views/table.py†L1491-L1527】
+
+``?_extra=database`` and ``?_extra=table``
+    Return the database name and table name for the current view.【F:datasette/views/table.py†L1510-L1517】
+
+``?_extra=database_color``
+    Adds the configured color for the database, useful for mirroring Datasette's UI styling.【F:datasette/views/table.py†L1518-L1520】
+
+``?_extra=renderers``
+    Lists the alternative output renderers available for the data, mapping renderer names to URLs that apply the
+    requested renderer.【F:datasette/views/table.py†L1554-L1577】
+
+``?_extra=custom_table_templates``
+    Returns the ordered list of template names Datasette will consider when rendering the HTML table view.【F:datasette/views/table.py†L1533-L1540】
+
+``?_extra=sorted_facet_results``
+    Provides the facet definitions sorted by the number of results they contain, ready for display in descending order.【F:datasette/views/table.py†L1541-L1549】
+
+``?_extra=table_definition`` and ``?_extra=view_definition``
+    Include the ``CREATE TABLE`` or ``CREATE VIEW`` SQL definitions where available.【F:datasette/views/table.py†L1548-L1553】
+
+``?_extra=is_view`` and ``?_extra=private``
+    Report whether the current resource is a view and whether it is private to the current actor.【F:datasette/views/table.py†L1439-L1453】【F:datasette/views/table.py†L1581-L1587】
+
+``?_extra=expandable_columns``
+    Lists foreign key columns that can be expanded, each entry pairing the foreign key description with the column used
+    for labels when expanding that relationship.【F:datasette/views/table.py†L1584-L1588】
+
+``?_extra=form_hidden_args``
+    Returns the ``("key", "value")`` pairs that Datasette includes as hidden fields in table forms for the current set
+    of ``_`` query string arguments.【F:datasette/views/table.py†L1519-L1530】
+
+``?_extra=extras``
+    Provides metadata about all available extras, including toggle URLs that can be used to turn them on and off in the
+    current query string.【F:datasette/views/table.py†L1592-L1611】
+
+``?_extra=debug`` and ``?_extra=request``
+    Return debugging context, including the resolved SQL details and request metadata such as the full URL and query
+    string arguments.【F:datasette/views/table.py†L1442-L1467】
+
+In addition to these API-friendly extras, Datasette exposes a handful of extras that are primarily intended for its HTML
+interface—``actions``, ``filters``, ``display_columns`` and ``display_rows``. These currently return Python objects such
+as callables or ``sqlite3.Row`` instances and may raise serialization errors if requested as JSON extras.【F:datasette/views/table.py†L1415-L1526】【F:datasette/renderer.py†L120-L123】
+
 .. _expand_foreign_keys:
 
 Expanding foreign key references
@@ -440,6 +528,15 @@ looks like:
 The column in the foreign key table that is used for the label can be specified
 in ``metadata.json`` - see :ref:`label_columns`.
 
+Row detail extras
+-----------------
+
+Row detail JSON is available at ``///.json``. Responses include the database and table names,
+``rows`` and ``columns`` for the matched record, the primary key column names, the primary key values, and a ``query_ms``
+timing for the lookup. Pass ``?_extras=foreign_key_tables`` (note the plural parameter name) to include a
+``foreign_key_tables`` array describing incoming foreign keys, the number of related rows and navigation links to view
+those rows.【F:datasette/views/row.py†L41-L111】
+
 .. _json_api_discover_alternate:
 
 Discovering the JSON for a page
@@ -510,7 +607,7 @@ Datasette provides a write API for JSON data. This is a POST-only API that requi
 Inserting rows
 ~~~~~~~~~~~~~~
 
-This requires the :ref:`actions_insert_row` permission.
+This requires the :ref:`permissions_insert_row` permission.
 
 A single row can be inserted using the ``"row"`` key:
 
@@ -621,9 +718,9 @@ Pass ``"ignore": true`` to ignore these errors and insert the other rows:
         "ignore": true
     }
 
-Or you can pass ``"replace": true`` to replace any rows with conflicting primary keys with the new values. This requires the :ref:`actions_update_row` permission.
+Or you can pass ``"replace": true`` to replace any rows with conflicting primary keys with the new values. This requires the :ref:`permissions_update_row` permission.
 
-Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`actions_alter_table` permission.
+Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`permissions_alter_table` permission.
 
 .. _TableUpsertView:
 
@@ -632,7 +729,7 @@ Upserting rows
 
 An upsert is an insert or update operation. If a row with a matching primary key already exists it will be updated - otherwise a new row will be inserted.
 
-The upsert API is mostly the same shape as the :ref:`insert API `. It requires both the :ref:`actions_insert_row` and :ref:`actions_update_row` permissions.
+The upsert API is mostly the same shape as the :ref:`insert API `. It requires both the :ref:`permissions_insert_row` and :ref:`permissions_update_row` permissions.
 
 ::
 
@@ -735,14 +832,14 @@ When using upsert you must provide the primary key column (or columns if the tab
 
 If your table does not have an explicit primary key you should pass the SQLite ``rowid`` key instead.
 
-Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`actions_alter_table` permission.
+Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`permissions_alter_table` permission.
 
 .. _RowUpdateView:
 
 Updating a row
 ~~~~~~~~~~~~~~
 
-To update a row, make a ``POST`` to ``//
//-/update``. This requires the :ref:`actions_update_row` permission.
+To update a row, make a ``POST`` to ``//
//-/update``. This requires the :ref:`permissions_update_row` permission.
 
 ::
 
@@ -792,14 +889,14 @@ The returned JSON will look like this:
 
 Any errors will return ``{"errors": ["... descriptive message ..."], "ok": false}``, and a ``400`` status code for a bad input or a ``403`` status code for an authentication or permission error.
 
-Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`actions_alter_table` permission.
+Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`permissions_alter_table` permission.
 
 .. _RowDeleteView:
 
 Deleting a row
 ~~~~~~~~~~~~~~
 
-To delete a row, make a ``POST`` to ``//
//-/delete``. This requires the :ref:`actions_delete_row` permission.
+To delete a row, make a ``POST`` to ``//
//-/delete``. This requires the :ref:`permissions_delete_row` permission.
 
 ::
 
@@ -818,7 +915,7 @@ Any errors will return ``{"errors": ["... descriptive message ..."], "ok": false
 Creating a table
 ~~~~~~~~~~~~~~~~
 
-To create a table, make a ``POST`` to ``//-/create``. This requires the :ref:`actions_create_table` permission.
+To create a table, make a ``POST`` to ``//-/create``. This requires the :ref:`permissions_create_table` permission.
 
 ::
 
@@ -859,8 +956,8 @@ The JSON here describes the table that will be created:
 
 * ``pks`` can be used instead of ``pk`` to create a compound primary key. It should be a JSON list of column names to use in that primary key.
 * ``ignore`` can be set to ``true`` to ignore existing rows by primary key if the table already exists.
-* ``replace`` can be set to ``true`` to replace existing rows by primary key if the table already exists. This requires the :ref:`actions_update_row` permission.
-* ``alter`` can be set to ``true`` if you want to automatically add any missing columns to the table. This requires the :ref:`actions_alter_table` permission.
+* ``replace`` can be set to ``true`` to replace existing rows by primary key if the table already exists. This requires the :ref:`permissions_update_row` permission.
+* ``alter`` can be set to ``true`` if you want to automatically add any missing columns to the table. This requires the :ref:`permissions_alter_table` permission.
 
 If the table is successfully created this will return a ``201`` status code and the following response:
 
@@ -906,7 +1003,7 @@ Datasette will create a table with a schema that matches those rows and insert t
         "pk": "id"
     }
 
-Doing this requires both the :ref:`actions_create_table` and :ref:`actions_insert_row` permissions.
+Doing this requires both the :ref:`permissions_create_table` and :ref:`permissions_insert_row` permissions.
 
 The ``201`` response here will be similar to the ``columns`` form, but will also include the number of rows that were inserted as ``row_count``:
 
@@ -937,16 +1034,16 @@ If you pass a row to the create endpoint with a primary key that already exists
 
 You can avoid this error by passing the same ``"ignore": true`` or ``"replace": true`` options to the create endpoint as you can to the :ref:`insert endpoint `.
 
-To use the ``"replace": true`` option you will also need the :ref:`actions_update_row` permission.
+To use the ``"replace": true`` option you will also need the :ref:`permissions_update_row` permission.
 
-Pass ``"alter": true`` to automatically add any missing columns to the existing table that are present in the rows you are submitting. This requires the :ref:`actions_alter_table` permission.
+Pass ``"alter": true`` to automatically add any missing columns to the existing table that are present in the rows you are submitting. This requires the :ref:`permissions_alter_table` permission.
 
 .. _TableDropView:
 
 Dropping tables
 ~~~~~~~~~~~~~~~
 
-To drop a table, make a ``POST`` to ``//
/-/drop``. This requires the :ref:`actions_drop_table` permission.
+To drop a table, make a ``POST`` to ``//
/-/drop``. This requires the :ref:`permissions_drop_table` permission.
 
 ::
 
diff --git a/docs/pages.rst b/docs/pages.rst
index 2e54ce2f..3ba20ea7 100644
--- a/docs/pages.rst
+++ b/docs/pages.rst
@@ -28,7 +28,7 @@ The index page can also be accessed at ``/-/``, useful for if the default index
 Database
 ========
 
-Each database has a page listing the tables, views and canned queries available for that database. If the :ref:`actions_execute_sql` permission is enabled (it's on by default) there will also be an interface for executing arbitrary SQL select queries against the data.
+Each database has a page listing the tables, views and canned queries available for that database. If the :ref:`permissions_execute_sql` permission is enabled (it's on by default) there will also be an interface for executing arbitrary SQL select queries against the data.
 
 Examples:
 
@@ -60,7 +60,7 @@ The following tables are hidden by default:
 Queries
 =======
 
-The ``/database-name/-/query`` page can be used to execute an arbitrary SQL query against that database, if the :ref:`actions_execute_sql` permission is enabled. This query is passed as the ``?sql=`` query string parameter.
+The ``/database-name/-/query`` page can be used to execute an arbitrary SQL query against that database, if the :ref:`permissions_execute_sql` permission is enabled. This query is passed as the ``?sql=`` query string parameter.
 
 This means you can link directly to a query by constructing the following URL:
 
@@ -107,46 +107,3 @@ Note that this URL includes the encoded primary key of the record.
 Here's that same page as JSON:
 
 `../people/uk~2Eorg~2Epublicwhip~2Fperson~2F10001.json `_
-
-
-.. _pages_schemas:
-
-Schemas
-=======
-
-Datasette offers ``/-/schema`` endpoints to expose the SQL schema for databases and tables.
-
-.. _InstanceSchemaView:
-
-Instance schema
----------------
-
-Access ``/-/schema`` to see the complete schema for all attached databases in the Datasette instance.
-
-Use ``/-/schema.md`` to get the same information as Markdown.
-
-Use ``/-/schema.json`` to get the same information as JSON, which looks like this:
-
-.. code-block:: json
-
-    {
-      "schemas": [
-        {
-          "database": "content",
-          "schema": "create table posts ..."
-        }
-    }
-
-.. _DatabaseSchemaView:
-
-Database schema
----------------
-
-Use ``/database-name/-/schema`` to see the complete schema for a specific database. The ``.md`` and ``.json`` extensions work here too. The JSON returns an object with ``"database"`` and ``"schema"`` keys.
-
-.. _TableSchemaView:
-
-Table schema
-------------
-
-Use ``/database-name/table-name/-/schema`` to see the schema for a specific table. The ``.md`` and ``.json`` extensions work here too. The JSON returns an object with ``"database"``, ``"table"``, and ``"schema"`` keys.
diff --git a/docs/plugin_hooks.rst b/docs/plugin_hooks.rst
index 118a6bde..5b3baf3f 100644
--- a/docs/plugin_hooks.rst
+++ b/docs/plugin_hooks.rst
@@ -691,7 +691,7 @@ Help text (from the docstring for the function plus any defined Click arguments
 
 Plugins can register multiple commands by making multiple calls to the ``@cli.command()`` decorator. Consult the `Click documentation `__ for full details on how to build a CLI command, including how to define arguments and options.
 
-Note that ``register_commands()`` plugins cannot used with the :ref:`--plugins-dir mechanism ` - they need to be installed into the same virtual environment as Datasette using ``pip install``. Provided it has a ``pyproject.toml`` file (see :ref:`writing_plugins_packaging`) you can run ``pip install`` directly against the directory in which you are developing your plugin like so::
+Note that ``register_commands()`` plugins cannot used with the :ref:`--plugins-dir mechanism ` - they need to be installed into the same virtual environment as Datasette using ``pip install``. Provided it has a ``setup.py`` file (see :ref:`writing_plugins_packaging`) you can run ``pip install`` directly against the directory in which you are developing your plugin like so::
 
     pip install -e path/to/my/datasette-plugin
 
@@ -777,128 +777,52 @@ The plugin hook can then be used to register the new facet class like this:
     def register_facet_classes():
         return [SpecialFacet]
 
-.. _plugin_register_actions:
+.. _plugin_register_permissions:
 
-register_actions(datasette)
----------------------------
+register_permissions(datasette)
+--------------------------------
 
-If your plugin needs to register actions that can be checked with Datasette's new resource-based permission system, return a list of those actions from this hook.
-
-Actions define what operations can be performed on resources (like viewing a table, executing SQL, or custom plugin actions).
+If your plugin needs to register additional permissions unique to that plugin - ``upload-csvs`` for example - you can return a list of those permissions from this hook.
 
 .. code-block:: python
 
-    from datasette import hookimpl
-    from datasette.permissions import Action, Resource
-
-
-    class DocumentCollectionResource(Resource):
-        """A collection of documents."""
-
-        name = "document-collection"
-        parent_name = None
-
-        def __init__(self, collection: str):
-            super().__init__(parent=collection, child=None)
-
-        @classmethod
-        def resources_sql(cls) -> str:
-            return """
-                SELECT collection_name AS parent, NULL AS child
-                FROM document_collections
-            """
-
-
-    class DocumentResource(Resource):
-        """A document in a collection."""
-
-        name = "document"
-        parent_name = "document-collection"
-
-        def __init__(self, collection: str, document: str):
-            super().__init__(parent=collection, child=document)
-
-        @classmethod
-        def resources_sql(cls) -> str:
-            return """
-                SELECT collection_name AS parent, document_id AS child
-                FROM documents
-            """
+    from datasette import hookimpl, Permission
 
 
     @hookimpl
-    def register_actions(datasette):
+    def register_permissions(datasette):
         return [
-            Action(
-                name="list-documents",
-                abbr="ld",
-                description="List documents in a collection",
-                resource_class=DocumentCollectionResource,
-            ),
-            Action(
-                name="view-document",
-                abbr="vdoc",
-                description="View document",
-                resource_class=DocumentResource,
-            ),
-            Action(
-                name="edit-document",
-                abbr="edoc",
-                description="Edit document",
-                resource_class=DocumentResource,
-            ),
+            Permission(
+                name="upload-csvs",
+                abbr=None,
+                description="Upload CSV files",
+                takes_database=True,
+                takes_resource=False,
+                default=False,
+            )
         ]
 
-The fields of the ``Action`` dataclass are as follows:
+The fields of the ``Permission`` class are as follows:
 
 ``name`` - string
-    The name of the action, e.g. ``view-document``. This should be unique across all plugins.
+    The name of the permission, e.g. ``upload-csvs``. This should be unique across all plugins that the user might have installed, so choose carefully.
 
 ``abbr`` - string or None
-    An abbreviation of the action, e.g. ``vdoc``. This is optional. Since this needs to be unique across all installed plugins it's best to choose carefully or omit it entirely (same as setting it to ``None``.)
+    An abbreviation of the permission, e.g. ``uc``. This is optional - you can set it to ``None`` if you do not want to pick an abbreviation. Since this needs to be unique across all installed plugins it's best not to specify an abbreviation at all. If an abbreviation is provided it will be used when creating restricted signed API tokens.
 
 ``description`` - string or None
-    A human-readable description of what the action allows you to do.
+    A human-readable description of what the permission lets you do. Should make sense as the second part of a sentence that starts "A user with this permission can ...".
 
-``resource_class`` - type[Resource] or None
-    The Resource subclass that defines what kind of resource this action applies to. Omit this (or set to ``None``) for global actions that apply only at the instance level with no associated resources (like ``debug-menu`` or ``permissions-debug``). Your Resource subclass must:
+``takes_database`` - boolean
+    ``True`` if this permission can be granted on a per-database basis, ``False`` if it is only valid at the overall Datasette instance level.
 
-    - Define a ``name`` class attribute (e.g., ``"document"``)
-    - Define a ``parent_class`` class attribute (``None`` for top-level resources like databases, or the parent ``Resource`` subclass for child resources)
-    - Implement a ``resources_sql()`` classmethod that returns SQL returning all resources as ``(parent, child)`` columns
-    - Have an ``__init__`` method that accepts appropriate parameters and calls ``super().__init__(parent=..., child=...)``
+``takes_resource`` - boolean
+    ``True`` if this permission can be granted on a per-resource basis. A resource is a database table, SQL view or :ref:`canned query `.
 
-The ``resources_sql()`` method
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+``default`` - boolean
+    The default value for this permission if it is not explicitly granted to a user. ``True`` means the permission is granted by default, ``False`` means it is not.
 
-The ``resources_sql()`` classmethod returns a SQL query that lists all resources of that type that exist in the system.
-
-This query is used by Datasette to efficiently check permissions across multiple resources at once. When a user requests a list of resources (like tables, documents, or other entities), Datasette uses this SQL to:
-
-1. Get all resources of this type from your data catalog
-2. Combine it with permission rules from the ``permission_resources_sql`` hook
-3. Use SQL joins and filtering to determine which resources the actor can access
-4. Return only the permitted resources
-
-The SQL query **must** return exactly two columns:
-
-- ``parent`` - The parent identifier (e.g., database name, collection name), or ``NULL`` for top-level resources
-- ``child`` - The child identifier (e.g., table name, document ID), or ``NULL`` for parent-only resources
-
-For example, if you're building a document management plugin with collections and documents stored in a ``documents`` table, your ``resources_sql()`` might look like:
-
-.. code-block:: python
-
-    @classmethod
-    def resources_sql(cls) -> str:
-        return """
-            SELECT collection_name AS parent, document_id AS child
-            FROM documents
-        """
-
-This tells Datasette "here's how to find all documents in the system - look in the documents table and get the collection name and document ID for each one."
-
-The permission system then uses this query along with rules from plugins to determine which documents each user can access, all efficiently in SQL rather than loading everything into Python.
+    This should only be ``True`` if you want anonymous users to be able to take this action.
 
 .. _plugin_asgi_wrapper:
 
@@ -1314,191 +1238,70 @@ This example plugin causes 0 results to be returned if ``?_nothing=1`` is added
 
 Example: `datasette-leaflet-freedraw `_
 
-.. _plugin_hook_permission_resources_sql:
+.. _plugin_hook_permission_allowed:
 
-permission_resources_sql(datasette, actor, action)
---------------------------------------------------
+permission_allowed(datasette, actor, action, resource)
+------------------------------------------------------
 
 ``datasette`` - :ref:`internals_datasette`
-    Access to the Datasette instance.
+    You can use this to access plugin configuration options via ``datasette.plugin_config(your_plugin_name)``, or to execute SQL queries.
 
-``actor`` - dictionary or None
-    The current actor dictionary. ``None`` for anonymous requests.
+``actor`` - dictionary
+    The current actor, as decided by :ref:`plugin_hook_actor_from_request`.
 
 ``action`` - string
-    The permission action being evaluated. Examples include ``"view-table"`` or ``"insert-row"``.
+    The action to be performed, e.g. ``"edit-table"``.
 
-Return value
-    A :class:`datasette.permissions.PermissionSQL` object, ``None`` or an iterable of ``PermissionSQL`` objects.
+``resource`` - string or None
+    An identifier for the individual resource, e.g. the name of the table.
 
-Datasette's action-based permission resolver calls this hook to gather SQL rows describing which
-resources an actor may access (``allow = 1``) or should be denied (``allow = 0``) for a specific action.
-Each SQL snippet should return ``parent``, ``child``, ``allow`` and ``reason`` columns.
+Called to check that an actor has permission to perform an action on a resource. Can return ``True`` if the action is allowed, ``False`` if the action is not allowed or ``None`` if the plugin does not have an opinion one way or the other.
 
-**Parameter naming convention:** Plugin parameters in ``PermissionSQL.params`` should use unique names
-to avoid conflicts with other plugins. The recommended convention is to prefix parameters with your
-plugin's source name (e.g., ``myplugin_user_id``). The system reserves these parameter names:
-``:actor``, ``:actor_id``, ``:action``, and ``:filter_parent``.
-
-You can also use return ``PermissionSQL.allow(reason="reason goes here")`` or ``PermissionSQL.deny(reason="reason goes here")`` as shortcuts for simple root-level allow or deny rules. These will create SQL snippets that look like this:
-
-.. code-block:: sql
-
-    SELECT
-        NULL AS parent,
-        NULL AS child,
-        1 AS allow,
-        'reason goes here' AS reason
-
-Or ``0 AS allow`` for denies.
-
-Permission plugin examples
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-These snippets show how to use the new ``permission_resources_sql`` hook to
-contribute rows to the action-based permission resolver. Each hook receives the
-current actor dictionary (or ``None``) and must return ``None`` or an instance or list of
-``datasette.permissions.PermissionSQL`` (or a coroutine that resolves to that).
-
-Allow Alice to view a specific table
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-This plugin grants the actor with ``id == "alice"`` permission to perform the
-``view-table`` action against the ``sales`` table inside the ``accounting`` database.
+Here's an example plugin which randomly selects if a permission should be allowed or denied, except for ``view-instance`` which always uses the default permission scheme instead.
 
 .. code-block:: python
 
     from datasette import hookimpl
-    from datasette.permissions import PermissionSQL
+    import random
 
 
     @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if action != "view-table":
-            return None
-        if not actor or actor.get("id") != "alice":
-            return None
+    def permission_allowed(action):
+        if action != "view-instance":
+            # Return True or False at random
+            return random.random() > 0.5
+        # Returning None falls back to default permissions
 
-        return PermissionSQL(
-            sql="""
-                SELECT
-                    'accounting' AS parent,
-                    'sales' AS child,
-                    1 AS allow,
-                    'alice can view accounting/sales' AS reason
-            """,
-        )
+This function can alternatively return an awaitable function which itself returns ``True``, ``False`` or ``None``. You can use this option if you need to execute additional database queries using ``await datasette.execute(...)``.
 
-Restrict execute-sql to a database prefix
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Only allow ``execute-sql`` against databases whose name begins with
-``analytics_``. This shows how to use parameters that the permission resolver
-will pass through to the SQL snippet.
+Here's an example that allows users to view the ``admin_log`` table only if their actor ``id`` is present in the ``admin_users`` table. It aso disallows arbitrary SQL queries for the ``staff.db`` database for all users.
 
 .. code-block:: python
 
-    from datasette import hookimpl
-    from datasette.permissions import PermissionSQL
-
-
     @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if action != "execute-sql":
-            return None
+    def permission_allowed(datasette, actor, action, resource):
+        async def inner():
+            if action == "execute-sql" and resource == "staff":
+                return False
+            if action == "view-table" and resource == (
+                "staff",
+                "admin_log",
+            ):
+                if not actor:
+                    return False
+                user_id = actor["id"]
+                return await datasette.get_database(
+                    "staff"
+                ).execute(
+                    "select count(*) from admin_users where user_id = :user_id",
+                    {"user_id": user_id},
+                )
 
-        return PermissionSQL(
-            sql="""
-                SELECT
-                    parent,
-                    NULL AS child,
-                    1 AS allow,
-                    'execute-sql allowed for analytics_*' AS reason
-                FROM catalog_databases
-                WHERE database_name LIKE :analytics_prefix
-            """,
-            params={
-                "analytics_prefix": "analytics_%",
-            },
-        )
+        return inner
 
-Read permissions from a custom table
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+See :ref:`built-in permissions ` for a full list of permissions that are included in Datasette core.
 
-This example stores grants in an internal table called ``permission_grants``
-with columns ``(actor_id, action, parent, child, allow, reason)``.
-
-.. code-block:: python
-
-    from datasette import hookimpl
-    from datasette.permissions import PermissionSQL
-
-
-    @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if not actor:
-            return None
-
-        return PermissionSQL(
-            sql="""
-                SELECT
-                    parent,
-                    child,
-                    allow,
-                    COALESCE(reason, 'permission_grants table') AS reason
-                FROM permission_grants
-                WHERE actor_id = :grants_actor_id
-                  AND action = :grants_action
-            """,
-            params={
-                "grants_actor_id": actor.get("id"),
-                "grants_action": action,
-            },
-        )
-
-Default deny with an exception
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Combine a root-level deny with a specific table allow for trusted users.
-The resolver will automatically apply the most specific rule.
-
-.. code-block:: python
-
-    from datasette import hookimpl
-    from datasette.permissions import PermissionSQL
-
-
-    TRUSTED = {"alice", "bob"}
-
-
-    @hookimpl
-    def permission_resources_sql(datasette, actor, action):
-        if action != "view-table":
-            return None
-
-        actor_id = (actor or {}).get("id")
-
-        if actor_id not in TRUSTED:
-            return PermissionSQL(
-                sql="""
-                    SELECT NULL AS parent, NULL AS child, 0 AS allow,
-                           'default deny view-table' AS reason
-                """,
-            )
-
-        return PermissionSQL(
-            sql="""
-                SELECT NULL AS parent, NULL AS child, 0 AS allow,
-                       'default deny view-table' AS reason
-                UNION ALL
-                SELECT 'reports' AS parent, 'daily_metrics' AS child, 1 AS allow,
-                       'trusted user access' AS reason
-            """,
-            params={"actor_id": actor_id},
-        )
-
-The ``UNION ALL`` ensures the deny rule is always present, while the second row
-adds the exception for trusted users.
+Example: `datasette-permissions-sql `_
 
 .. _plugin_hook_register_magic_parameters:
 
@@ -1915,16 +1718,16 @@ This example adds a new database action for creating a table, if the user has th
 .. code-block:: python
 
     from datasette import hookimpl
-    from datasette.resources import DatabaseResource
 
 
     @hookimpl
     def database_actions(datasette, actor, database):
         async def inner():
-            if not await datasette.allowed(
+            if not await datasette.permission_allowed(
                 actor,
                 "edit-schema",
-                resource=DatabaseResource("database"),
+                resource=database,
+                default=False,
             ):
                 return []
             return [
diff --git a/docs/plugins.rst b/docs/plugins.rst
index d5a98923..03ddf8f0 100644
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@@ -198,15 +198,6 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
                 "register_output_renderer"
             ]
         },
-        {
-            "name": "datasette.default_actions",
-            "static": false,
-            "templates": false,
-            "version": null,
-            "hooks": [
-                "register_actions"
-            ]
-        },
         {
             "name": "datasette.default_magic_parameters",
             "static": false,
@@ -232,8 +223,8 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
             "version": null,
             "hooks": [
                 "actor_from_request",
-                "canned_queries",
-                "permission_resources_sql",
+                "permission_allowed",
+                "register_permissions",
                 "skip_csrf"
             ]
         },
diff --git a/docs/settings.rst b/docs/settings.rst
index 5cd49113..62810952 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -69,7 +69,7 @@ default_allow_sql
 
 Should users be able to execute arbitrary SQL queries by default?
 
-Setting this to ``off`` causes permission checks for :ref:`actions_execute_sql` to fail by default.
+Setting this to ``off`` causes permission checks for :ref:`permissions_execute_sql` to fail by default.
 
 ::
 
diff --git a/docs/sql_queries.rst b/docs/sql_queries.rst
index 7c3cd4ac..a95ccc87 100644
--- a/docs/sql_queries.rst
+++ b/docs/sql_queries.rst
@@ -7,7 +7,7 @@ Datasette treats SQLite database files as read-only and immutable. This means it
 
 The easiest way to execute custom SQL against Datasette is through the web UI. The database index page includes a SQL editor that lets you run any SELECT query you like. You can also construct queries using the filter interface on the tables page, then click "View and edit SQL" to open that query in the custom SQL editor.
 
-Note that this interface is only available if the :ref:`actions_execute_sql` permission is allowed. See :ref:`authentication_permissions_execute_sql`.
+Note that this interface is only available if the :ref:`permissions_execute_sql` permission is allowed. See :ref:`authentication_permissions_execute_sql`.
 
 Any Datasette SQL query is reflected in the URL of the page, allowing you to bookmark them, share them with others and navigate through previous queries using your browser back button.
 
diff --git a/docs/testing_plugins.rst b/docs/testing_plugins.rst
index fc1aa6f6..f1363fb4 100644
--- a/docs/testing_plugins.rst
+++ b/docs/testing_plugins.rst
@@ -33,16 +33,16 @@ You can install these packages like so::
 
     pip install pytest pytest-asyncio
 
-If you are building an installable package you can add them as test dependencies to your ``pyproject.toml`` file like this:
+If you are building an installable package you can add them as test dependencies to your ``setup.py`` module like this:
 
-.. code-block:: toml
+.. code-block:: python
 
-    [project]
-    name = "datasette-my-plugin"
-    # ...
-
-    [project.optional-dependencies]
-    test = ["pytest", "pytest-asyncio"]
+    setup(
+        name="datasette-my-plugin",
+        # ...
+        extras_require={"test": ["pytest", "pytest-asyncio"]},
+        tests_require=["datasette-my-plugin[test]"],
+    )
 
 You can then install the test dependencies like so::
 
@@ -283,12 +283,13 @@ Here's a test for that plugin that mocks the HTTPX outbound request:
 Registering a plugin for the duration of a test
 -----------------------------------------------
 
-When writing tests for plugins you may find it useful to register a test plugin just for the duration of a single test. You can do this using ``datasette.pm.register()`` and ``datasette.pm.unregister()`` like this:
+When writing tests for plugins you may find it useful to register a test plugin just for the duration of a single test. You can do this using ``pm.register()`` and ``pm.unregister()`` like this:
 
 .. code-block:: python
 
     from datasette import hookimpl
     from datasette.app import Datasette
+    from datasette.plugins import pm
     import pytest
 
 
@@ -304,14 +305,14 @@ When writing tests for plugins you may find it useful to register a test plugin
                     (r"^/error$", lambda: 1 / 0),
                 ]
 
-        datasette = Datasette()
+        pm.register(TestPlugin(), name="undo")
         try:
             # The test implementation goes here
-            datasette.pm.register(TestPlugin(), name="undo")
+            datasette = Datasette()
             response = await datasette.client.get("/error")
             assert response.status_code == 500
         finally:
-            datasette.pm.unregister(name="undo")
+            pm.unregister(name="undo")
 
 To reuse the same temporary plugin in multiple tests, you can register it inside a fixture in your ``conftest.py`` file like this:
 
diff --git a/docs/upgrade-1.0a20.md b/docs/upgrade-1.0a20.md
deleted file mode 100644
index 749d383c..00000000
--- a/docs/upgrade-1.0a20.md
+++ /dev/null
@@ -1,289 +0,0 @@
----
-orphan: true
----
-
-(upgrade_guide_v1_a20)=
-# Datasette 1.0a20 plugin upgrade guide
-
-Datasette 1.0a20 makes some breaking changes to Datasette's permission system. Plugins need to be updated if they use **any of the following**:
-
-- The `register_permissions()` plugin  hook - this should be replaced with `register_actions`
-- The `permission_allowed()` plugin hook - this should be upgraded to use `permission_resources_sql()`.
-- The `datasette.permission_allowed()` internal method - this should be replaced with `datasette.allowed()`
-- Logic that grants access to the `"root"` actor can be removed.
-
-## Permissions are now actions
-
-The `register_permissions()` hook shoud be replaced with `register_actions()`.
-
-Old code:
-
-```python
-@hookimpl
-def register_permissions(datasette):
-    return [
-        Permission(
-            name="explain-sql",
-            abbr=None,
-            description="Can explain SQL queries",
-            takes_database=True,
-            takes_resource=False,
-            default=False,
-        ),
-        Permission(
-            name="annotate-rows",
-            abbr=None,
-            description="Can annotate rows",
-            takes_database=True,
-            takes_resource=True,
-            default=False,
-        ),
-        Permission(
-            name="view-debug-info",
-            abbr=None,
-            description="Can view debug information",
-            takes_database=False,
-            takes_resource=False,
-            default=False,
-        ),
-    ]
-```
-The new `Action` does not have a `default=` parameter.
-
-Here's the equivalent new code:
-
-```python
-from datasette import hookimpl
-from datasette.permissions import Action
-from datasette.resources import DatabaseResource, TableResource
-
-@hookimpl
-def register_actions(datasette):
-    return [
-        Action(
-            name="explain-sql",
-            description="Explain SQL queries",
-            resource_class=DatabaseResource,
-        ),
-        Action(
-            name="annotate-rows",
-            description="Annotate rows",
-            resource_class=TableResource,
-        ),
-        Action(
-            name="view-debug-info",
-            description="View debug information",
-        ),
-    ]
-```
-The `abbr=` is now optional and defaults to `None`.
-
-For actions that apply to specific resources (like databases or tables), specify the `resource_class` instead of `takes_parent` and `takes_child`. Note that `view-debug-info` does not specify a `resource_class` because it applies globally.
-
-## permission_allowed() hook is replaced by permission_resources_sql()
-
-The following old code:
-```python
-@hookimpl
-def permission_allowed(action):
-    if action == "permissions-debug":
-        return True
-```
-Can be replaced by:
-```python
-from datasette.permissions import PermissionSQL
-
-@hookimpl
-def permission_resources_sql(action):
-    return PermissionSQL.allow(reason="datasette-allow-permissions-debug")
-```
-A `.deny(reason="")` class method is also available.
-
-For more complex permission checks consult the documentation for that plugin hook:
-
-
-## Using datasette.allowed() to check permissions instead of datasette.permission_allowed()
-
-The internal method `datasette.permission_allowed()` has been replaced by `datasette.allowed()`.
-
-The old method looked like this:
-```python
-can_debug = await datasette.permission_allowed(
-    request.actor,
-    "view-debug-info",
-)
-can_explain_sql = await datasette.permission_allowed(
-    request.actor,
-    "explain-sql",
-    resource="database_name",
-)
-can_annotate_rows = await datasette.permission_allowed(
-    request.actor,
-    "annotate-rows",
-    resource=(database_name, table_name),
-)
-```
-Note the confusing design here where `resource` could be either a string or a tuple depending on the permission being checked.
-
-The new keyword-only design makes this a lot more clear:
-```python
-from datasette.resources import DatabaseResource, TableResource
-can_debug = await datasette.allowed(
-    actor=request.actor,
-    action="view-debug-info",
-)
-can_explain_sql = await datasette.allowed(
-    actor=request.actor,
-    action="explain-sql",
-    resource=DatabaseResource(database_name),
-)
-can_annotate_rows = await datasette.allowed(
-    actor=request.actor,
-    action="annotate-rows",
-    resource=TableResource(database_name, table_name),
-)
-```
-
-## Root user checks are no longer necessary
-
-Some plugins would introduce their own custom permission and then ensure the `"root"` actor had access to it using a pattern like this:
-
-```python
-@hookimpl
-def register_permissions(datasette):
-    return [
-        Permission(
-            name="upload-dbs",
-            abbr=None,
-            description="Upload SQLite database files",
-            takes_database=False,
-            takes_resource=False,
-            default=False,
-        )
-    ]
-
-
-@hookimpl
-def permission_allowed(actor, action):
-    if action == "upload-dbs" and actor and actor.get("id") == "root":
-        return True
-```
-This is no longer necessary in Datasette 1.0a20 - the `"root"` actor automatically has all permissions when Datasette is started with the `datasette --root` option.
-
-The `permission_allowed()` hook in this example can be entirely removed.
-
-### Root-enabled instances during testing
-
-When writing tests that exercise root-only functionality, make sure to set `datasette.root_enabled = True` on the `Datasette` instance. Root permissions are only granted automatically when Datasette is started with `datasette --root` or when the flag is enabled directly in tests.
-
-## Target the new APIs exclusively
-
-Datasette 1.0a20’s permission system is substantially different from previous releases. Attempting to keep plugin code compatible with both the old `permission_allowed()` and the new `allowed()` interfaces leads to brittle workarounds. Prefer to adopt the 1.0a20 APIs (`register_actions`, `permission_resources_sql()`, and `datasette.allowed()`) outright and drop legacy fallbacks.
-
-## Fixing async with httpx.AsyncClient(app=app)
-
-Some older plugins may use the following pattern in their tests, which is no longer supported:
-```python
-app = Datasette([], memory=True).app()
-async with httpx.AsyncClient(app=app) as client:
-    response = await client.get("http://localhost/path")
-```
-The new pattern is to use `ds.client` like this:
-```python
-ds = Datasette([], memory=True)
-response = await ds.client.get("/path")
-```
-
-## Migrating from metadata= to config=
-
-Datasette 1.0 separates metadata (titles, descriptions, licenses) from configuration (settings, plugins, queries, permissions). Plugin tests and code need to be updated accordingly.
-
-### Update test constructors
-
-Old code:
-```python
-ds = Datasette(
-    memory=True,
-    metadata={
-        "databases": {
-            "_memory": {"queries": {"my_query": {"sql": "select 1", "title": "My Query"}}}
-        },
-        "plugins": {
-            "my-plugin": {"setting": "value"}
-        }
-    }
-)
-```
-
-New code:
-```python
-ds = Datasette(
-    memory=True,
-    config={
-        "databases": {
-            "_memory": {"queries": {"my_query": {"sql": "select 1", "title": "My Query"}}}
-        },
-        "plugins": {
-            "my-plugin": {"setting": "value"}
-        }
-    }
-)
-```
-
-### Update datasette.metadata() calls
-
-The `datasette.metadata()` method has been removed. Use these methods instead:
-
-Old code:
-```python
-try:
-    title = datasette.metadata(database=database)["queries"][query_name]["title"]
-except (KeyError, TypeError):
-    pass
-```
-
-New code:
-```python
-try:
-    query_info = await datasette.get_canned_query(database, query_name, request.actor)
-    if query_info and "title" in query_info:
-        title = query_info["title"]
-except (KeyError, TypeError):
-    pass
-```
-
-### Update render functions to async
-
-If your plugin's render function needs to call `datasette.get_canned_query()` or other async Datasette methods, it must be declared as async:
-
-Old code:
-```python
-def render_atom(datasette, request, sql, columns, rows, database, table, query_name, view_name, data):
-    # ...
-    if query_name:
-        title = datasette.metadata(database=database)["queries"][query_name]["title"]
-```
-
-New code:
-```python
-async def render_atom(datasette, request, sql, columns, rows, database, table, query_name, view_name, data):
-    # ...
-    if query_name:
-        query_info = await datasette.get_canned_query(database, query_name, request.actor)
-        if query_info and "title" in query_info:
-            title = query_info["title"]
-```
-
-### Update query URLs in tests
-
-Datasette now redirects `?sql=` parameters from database pages to the query view:
-
-Old code:
-```python
-response = await ds.client.get("/_memory.atom?sql=select+1")
-```
-
-New code:
-```python
-response = await ds.client.get("/_memory/-/query.atom?sql=select+1")
-```
diff --git a/docs/upgrade_guide.md b/docs/upgrade_guide.md
deleted file mode 100644
index a3c321a4..00000000
--- a/docs/upgrade_guide.md
+++ /dev/null
@@ -1,116 +0,0 @@
-(upgrade_guide)=
-# Upgrade guide
-
-(upgrade_guide_v1)=
-## Datasette 0.X -> 1.0
-
-This section reviews breaking changes Datasette ``1.0`` has when upgrading from a ``0.XX`` version. For new features that ``1.0`` offers, see the {ref}`changelog`.
-
-(upgrade_guide_v1_sql_queries)=
-### New URL for SQL queries
-
-Prior to ``1.0a14`` the URL for executing a SQL query looked like this:
-
-```text
-/databasename?sql=select+1
-# Or for JSON:
-/databasename.json?sql=select+1
-```
-
-This endpoint served two purposes: without a ``?sql=`` it would list the tables in the database, but with that option it would return results of a query instead.
-
-The URL for executing a SQL query now looks like this:
-
-```text
-/databasename/-/query?sql=select+1
-# Or for JSON:
-/databasename/-/query.json?sql=select+1
-```
-
-**This isn't a breaking change.** API calls to the older ``/databasename?sql=...`` endpoint will redirect to the new ``databasename/-/query?sql=...`` endpoint. Upgrading to the new URL is recommended to avoid the overhead of the additional redirect.
-
-(upgrade_guide_v1_metadata)=
-### Metadata changes
-
-Metadata was completely revamped for Datasette 1.0. There are a number of related breaking changes, from the ``metadata.yaml`` file to Python APIs, that you'll need to consider when upgrading.
-
-(upgrade_guide_v1_metadata_split)=
-#### ``metadata.yaml`` split into ``datasette.yaml``
-
-Before Datasette 1.0, the ``metadata.yaml`` file became a kitchen sink if a mix of metadata, configuration, and settings. Now ``metadata.yaml`` is strictly for metadata (ex title and descriptions of database and tables, licensing info, etc). Other settings have been moved to a ``datasette.yml`` configuration file, described in {ref}`configuration`.
-
-To start Datasette with both metadata and configuration files, run it like this:
-
-```bash
-datasette --metadata metadata.yaml --config datasette.yaml
-# Or the shortened version:
-datasette -m metadata.yml -c datasette.yml
-```
-
-(upgrade_guide_v1_metadata_upgrade)=
-#### Upgrading an existing ``metadata.yaml`` file
-
-The [datasette-upgrade plugin](https://github.com/datasette/datasette-upgrade) can be used to split a Datasette 0.x.x ``metadata.yaml`` (or ``.json``) file into separate ``metadata.yaml`` and ``datasette.yaml`` files. First, install the plugin:
-
-```bash
-datasette install datasette-upgrade
-```
-
-Then run it like this to produce the two new files:
-
-```bash
-datasette upgrade metadata-to-config metadata.json -m metadata.yml -c datasette.yml
-```
-
-#### Metadata "fallback" has been removed
-
-Certain keys in metadata like ``license`` used to "fallback" up the chain of ownership.
-For example, if you set an ``MIT`` to a database and a table within that database did not have a specified license, then that table would inherit an ``MIT`` license.
-
-This behavior has been removed in Datasette 1.0. Now license fields must be placed on all items, including individual databases and tables.
-
-(upgrade_guide_v1_metadata_removed)=
-#### The ``get_metadata()`` plugin hook has been removed
-
-In Datasette ``0.x`` plugins could implement a ``get_metadata()`` plugin hook to customize how metadata was retrieved for different instances, databases and tables.
-
-This hook could be inefficient, since some pages might load metadata for many different items (to list a large number of tables, for example) which could result in a large number of calls to potentially expensive plugin hook implementations.
-
-As of Datasette ``1.0a14`` (2024-08-05), the ``get_metadata()`` hook has been deprecated:
-
-```python
-# ❌ DEPRECATED in Datasette 1.0
-@hookimpl
-def get_metadata(datasette, key, database, table):
-    pass
-```
-
-Instead, plugins are encouraged to interact directly with Datasette's in-memory metadata tables in SQLite using the following methods on the {ref}`internals_datasette`:
-
-- {ref}`get_instance_metadata() ` and {ref}`set_instance_metadata() `
-- {ref}`get_database_metadata() ` and {ref}`set_database_metadata() `
-- {ref}`get_resource_metadata() ` and {ref}`set_resource_metadata() `
-- {ref}`get_column_metadata() ` and {ref}`set_column_metadata() `
-
-A plugin that stores or calculates its own metadata can implement the {ref}`plugin_hook_startup` hook to populate those items on startup, and then call those methods while it is running to persist any new metadata changes.
-
-(upgrade_guide_v1_metadata_json_removed)=
-#### The ``/metadata.json`` endpoint has been removed
-
-As of Datasette ``1.0a14``, the root level ``/metadata.json`` endpoint has been removed. Metadata for tables will become available through currently in-development extras in a future alpha.
-
-(upgrade_guide_v1_metadata_method_removed)=
-#### The ``metadata()`` method on the Datasette class has been removed
-
-As of Datasette ``1.0a14``, the ``.metadata()`` method on the Datasette Python API has been removed.
-
-Instead, one should use the following methods on a Datasette class:
-
-- {ref}`get_instance_metadata() `
-- {ref}`get_database_metadata() `
-- {ref}`get_resource_metadata() `
-- {ref}`get_column_metadata() `
-
-```{include} upgrade-1.0a20.md
-:heading-offset: 1
-```
diff --git a/docs/upgrade_guide.rst b/docs/upgrade_guide.rst
new file mode 100644
index 00000000..f983fb2d
--- /dev/null
+++ b/docs/upgrade_guide.rst
@@ -0,0 +1,130 @@
+.. _upgrade_guide:
+
+===============
+ Upgrade guide
+===============
+
+.. _upgrade_guide_v1:
+
+Datasette 0.X -> 1.0
+====================
+
+This section reviews breaking changes Datasette ``1.0`` has when upgrading from a ``0.XX`` version. For new features that ``1.0`` offers, see the :ref:`changelog`.
+
+.. _upgrade_guide_v1_sql_queries:
+
+New URL for SQL queries
+-----------------------
+
+Prior to ``1.0a14`` the URL for executing a SQL query looked like this:
+
+::
+
+    /databasename?sql=select+1
+    # Or for JSON:
+    /databasename.json?sql=select+1
+
+This endpoint served two purposes: without a ``?sql=`` it would list the tables in the database, but with that option it would return results of a query instead.
+
+The URL for executing a SQL query now looks like this::
+
+    /databasename/-/query?sql=select+1
+    # Or for JSON:
+    /databasename/-/query.json?sql=select+1
+
+**This isn't a breaking change.** API calls to the older ``/databasename?sql=...`` endpoint will redirect to the new ``databasename/-/query?sql=...`` endpoint. Upgrading to the new URL is recommended to avoid the overhead of the additional redirect.
+
+.. _upgrade_guide_v1_metadata:
+
+Metadata changes
+----------------
+
+Metadata was completely revamped for Datasette 1.0.  There are a number of related breaking changes, from the ``metadata.yaml`` file to Python APIs, that you'll need to consider when upgrading.
+
+.. _upgrade_guide_v1_metadata_split:
+
+``metadata.yaml`` split into ``datasette.yaml``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before Datasette 1.0, the ``metadata.yaml`` file became a kitchen sink if a mix of metadata, configuration, and settings. Now ``metadata.yaml`` is strictly for metaata (ex title and descriptions of database and tables, licensing info, etc). Other settings have been moved to a ``datasette.yml`` configuration file, described in :ref:`configuration`.
+
+To start Datasette with both metadata and configuration files, run it like this:
+
+.. code-block:: bash
+
+    datasette --metadata metadata.yaml --config datasette.yaml
+    # Or the shortened version:
+    datasette -m metadata.yml -c datasette.yml
+
+.. _upgrade_guide_v1_metadata_upgrade:
+
+Upgrading an existing ``metadata.yaml`` file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The `datasette-upgrade plugin `__ can be used to split a Datasette 0.x.x ``metadata.yaml`` (or ``.json``) file into separate ``metadata.yaml`` and ``datasette.yaml`` files. First, install the plugin:
+
+.. code-block:: bash
+
+    datasette install datasette-upgrade
+
+Then run it like this to produce the two new files:
+
+.. code-block:: bash
+
+    datasette upgrade metadata-to-config metadata.json -m metadata.yml -c datasette.yml
+
+Metadata "fallback" has been removed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Certain keys in metadata like ``license`` used to "fallback" up the chain of ownership.
+For example, if you set an ``MIT`` to a database and a table within that database did not have a specified license, then that table would inherit an ``MIT`` license.
+
+This behavior has been removed in Datasette 1.0. Now license fields must be placed on all items, including individual databases and tables.
+
+.. _upgrade_guide_v1_metadata_removed:
+
+The ``get_metadata()`` plugin hook has been removed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In Datasette ``0.x`` plugins could implement a ``get_metadata()`` plugin hook to customize how metadata was retrieved for different instances, databases and tables.
+
+This hook could be inefficient, since some pages might load metadata for many different items (to list a large number of tables, for example) which could result in a large number of calls to potentially expensive plugin hook implementations.
+
+As of Datasette ``1.0a14`` (2024-08-05), the ``get_metadata()`` hook has been deprecated:
+
+.. code-block:: python
+
+    # ❌ DEPRECATED in Datasette 1.0
+    @hookimpl
+    def get_metadata(datasette, key, database, table):
+        pass
+
+Instead, plugins are encouraged to interact directly with Datasette's in-memory metadata tables in SQLite using the following methods on the :ref:`internals_datasette`:
+
+- :ref:`get_instance_metadata() ` and  :ref:`set_instance_metadata() `
+- :ref:`get_database_metadata() ` and  :ref:`set_database_metadata() `
+- :ref:`get_resource_metadata() ` and  :ref:`set_resource_metadata() `
+- :ref:`get_column_metadata() ` and  :ref:`set_column_metadata() `
+
+A plugin that stores or calculates its own metadata can implement the :ref:`plugin_hook_startup` hook to populate those items on startup, and then call those methods while it is running to persist any new metadata changes.
+
+.. _upgrade_guide_v1_metadata_json_removed:
+
+The ``/metadata.json`` endpoint has been removed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As of Datasette ``1.0a14``, the root level ``/metadata.json`` endpoint has been removed. Metadata for tables will become available through currently in-development extras in a future alpha.
+
+.. _upgrade_guide_v1_metadata_method_removed:
+
+The ``metadata()`` method on the Datasette class has been removed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As of Datasette ``1.0a14``, the ``.metadata()`` method on the Datasette Python API has been removed.
+
+Instead, one should use the following methods on a Datasette class:
+
+- :ref:`get_instance_metadata() `
+- :ref:`get_database_metadata() `
+- :ref:`get_resource_metadata() `
+- :ref:`get_column_metadata() `
diff --git a/package-lock.json b/package-lock.json
index 35709001..f018a3e7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,7 +13,7 @@
         "rollup": "^3.29.5"
       },
       "devDependencies": {
-        "prettier": "^3.0.0"
+        "prettier": "^2.2.1"
       }
     },
     "node_modules/@codemirror/autocomplete": {
@@ -391,19 +391,15 @@
       }
     },
     "node_modules/prettier": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.6.2.tgz",
-      "integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.2.1.tgz",
+      "integrity": "sha512-PqyhM2yCjg/oKkFPtTGUojv7gnZAoG80ttl45O6x2Ug/rMJw4wcc9k6aaf2hibP7BGVCCM33gZoGjyvt9mm16Q==",
       "dev": true,
-      "license": "MIT",
       "bin": {
-        "prettier": "bin/prettier.cjs"
+        "prettier": "bin-prettier.js"
       },
       "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/prettier/prettier?sponsor=1"
+        "node": ">=10.13.0"
       }
     },
     "node_modules/resolve": {
@@ -781,9 +777,9 @@
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="
     },
     "prettier": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.6.2.tgz",
-      "integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.2.1.tgz",
+      "integrity": "sha512-PqyhM2yCjg/oKkFPtTGUojv7gnZAoG80ttl45O6x2Ug/rMJw4wcc9k6aaf2hibP7BGVCCM33gZoGjyvt9mm16Q==",
       "dev": true
     },
     "resolve": {
diff --git a/package.json b/package.json
index 16453896..4d9ac346 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "datasette",
   "private": true,
   "devDependencies": {
-    "prettier": "^3.0.0"
+    "prettier": "^2.2.1"
   },
   "scripts": {
     "fix": "npm run prettier -- --write",
diff --git a/pyproject.toml b/pyproject.toml
deleted file mode 100644
index f3053447..00000000
--- a/pyproject.toml
+++ /dev/null
@@ -1,98 +0,0 @@
-[project]
-name = "datasette"
-dynamic = ["version"]
-description = "An open source multi-tool for exploring and publishing data"
-readme = { file = "README.md", content-type = "text/markdown" }
-authors = [
-    { name = "Simon Willison" },
-]
-license = "Apache-2.0"
-requires-python = ">=3.10"
-classifiers = [
-    "Development Status :: 4 - Beta",
-    "Framework :: Datasette",
-    "Intended Audience :: Developers",
-    "Intended Audience :: Science/Research",
-    "Intended Audience :: End Users/Desktop",
-    "Topic :: Database",
-    "Programming Language :: Python :: 3.10",
-    "Programming Language :: Python :: 3.11",
-    "Programming Language :: Python :: 3.12",
-    "Programming Language :: Python :: 3.13",
-    "Programming Language :: Python :: 3.14",
-]
-
-dependencies = [
-    "asgiref>=3.2.10",
-    "click>=7.1.1",
-    "click-default-group>=1.2.3",
-    "Jinja2>=2.10.3",
-    "hupper>=1.9",
-    "httpx>=0.20,<1.0",
-    "pluggy>=1.0",
-    "uvicorn>=0.11",
-    "aiofiles>=0.4",
-    "janus>=0.6.2",
-    "asgi-csrf>=0.10",
-    "PyYAML>=5.3",
-    "mergedeep>=1.1.1",
-    "itsdangerous>=1.1",
-    "sqlite-utils>=3.30",
-    "asyncinject>=0.6.1",
-    "setuptools",
-    "pip",
-]
-
-[project.urls]
-Homepage = "https://datasette.io/"
-Documentation = "https://docs.datasette.io/en/stable/"
-Changelog = "https://docs.datasette.io/en/stable/changelog.html"
-"Live demo" = "https://latest.datasette.io/"
-"Source code" = "https://github.com/simonw/datasette"
-Issues = "https://github.com/simonw/datasette/issues"
-CI = "https://github.com/simonw/datasette/actions?query=workflow%3ATest"
-
-[project.scripts]
-datasette = "datasette.cli:cli"
-
-[project.optional-dependencies]
-docs = [
-    "Sphinx==7.4.7",
-    "furo==2025.9.25",
-    "sphinx-autobuild",
-    "codespell>=2.2.5",
-    "blacken-docs",
-    "sphinx-copybutton",
-    "sphinx-inline-tabs",
-    "myst-parser",
-    "sphinx-markdown-builder",
-    "ruamel.yaml",
-]
-test = [
-    "pytest>=9",
-    "pytest-xdist>=2.2.1",
-    "pytest-asyncio>=1.2.0",
-    "beautifulsoup4>=4.8.1",
-    "black==25.11.0",
-    "blacken-docs==1.20.0",
-    "pytest-timeout>=1.4.2",
-    "trustme>=0.7",
-    "cogapp>=3.3.0",
-]
-rich = ["rich"]
-
-[build-system]
-requires = ["setuptools"]
-build-backend = "setuptools.build_meta"
-
-[tool.setuptools.packages.find]
-include = ["datasette*"]
-
-[tool.setuptools.package-data]
-datasette = ["templates/*.html"]
-
-[tool.setuptools.dynamic]
-version = {attr = "datasette.version.__version__"}
-
-[tool.uv]
-package = true
diff --git a/pytest.ini b/pytest.ini
index 29b84ea5..9f2caac0 100644
--- a/pytest.ini
+++ b/pytest.ini
@@ -6,4 +6,5 @@ filterwarnings=
     ignore:Using or importing the ABCs::bs4.element
 markers =
     serial: tests to avoid using with pytest-xdist
-asyncio_mode = strict
\ No newline at end of file
+asyncio_mode = strict
+asyncio_default_fixture_loop_scope = function
\ No newline at end of file
diff --git a/ruff.toml b/ruff.toml
index 74447a8c..0deb884c 100644
--- a/ruff.toml
+++ b/ruff.toml
@@ -1,2 +1 @@
-line-length = 160
-target-version = "py310"
\ No newline at end of file
+line-length = 160
\ No newline at end of file
diff --git a/setup.py b/setup.py
new file mode 100644
index 00000000..48b32692
--- /dev/null
+++ b/setup.py
@@ -0,0 +1,107 @@
+from setuptools import setup, find_packages
+import os
+
+
+def get_long_description():
+    with open(
+        os.path.join(os.path.dirname(os.path.abspath(__file__)), "README.md"),
+        encoding="utf8",
+    ) as fp:
+        return fp.read()
+
+
+def get_version():
+    path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)), "datasette", "version.py"
+    )
+    g = {}
+    with open(path) as fp:
+        exec(fp.read(), g)
+    return g["__version__"]
+
+
+setup(
+    name="datasette",
+    version=get_version(),
+    description="An open source multi-tool for exploring and publishing data",
+    long_description=get_long_description(),
+    long_description_content_type="text/markdown",
+    author="Simon Willison",
+    license="Apache License, Version 2.0",
+    url="https://datasette.io/",
+    project_urls={
+        "Documentation": "https://docs.datasette.io/en/stable/",
+        "Changelog": "https://docs.datasette.io/en/stable/changelog.html",
+        "Live demo": "https://latest.datasette.io/",
+        "Source code": "https://github.com/simonw/datasette",
+        "Issues": "https://github.com/simonw/datasette/issues",
+        "CI": "https://github.com/simonw/datasette/actions?query=workflow%3ATest",
+    },
+    packages=find_packages(exclude=("tests",)),
+    package_data={"datasette": ["templates/*.html"]},
+    include_package_data=True,
+    python_requires=">=3.8",
+    install_requires=[
+        "asgiref>=3.2.10",
+        "click>=7.1.1",
+        "click-default-group>=1.2.3",
+        "Jinja2>=2.10.3",
+        "hupper>=1.9",
+        "httpx>=0.20",
+        'importlib_resources>=1.3.1; python_version < "3.9"',
+        'importlib_metadata>=4.6; python_version < "3.10"',
+        "pluggy>=1.0",
+        "uvicorn>=0.11",
+        "aiofiles>=0.4",
+        "janus>=0.6.2",
+        "asgi-csrf>=0.10",
+        "PyYAML>=5.3",
+        "mergedeep>=1.1.1",
+        "itsdangerous>=1.1",
+        "sqlite-utils>=3.30",
+        "asyncinject>=0.5",
+        "setuptools",
+        "pip",
+    ],
+    entry_points="""
+        [console_scripts]
+        datasette=datasette.cli:cli
+    """,
+    extras_require={
+        "docs": [
+            "Sphinx==7.4.7",
+            "furo==2024.8.6",
+            "sphinx-autobuild",
+            "codespell>=2.2.5",
+            "blacken-docs",
+            "sphinx-copybutton",
+            "sphinx-inline-tabs",
+            "ruamel.yaml",
+        ],
+        "test": [
+            "pytest>=5.2.2",
+            "pytest-xdist>=2.2.1",
+            "pytest-asyncio>=0.17",
+            "beautifulsoup4>=4.8.1",
+            "black==25.1.0",
+            "blacken-docs==1.19.1",
+            "pytest-timeout>=1.4.2",
+            "trustme>=0.7",
+            "cogapp>=3.3.0",
+        ],
+        "rich": ["rich"],
+    },
+    classifiers=[
+        "Development Status :: 4 - Beta",
+        "Framework :: Datasette",
+        "Intended Audience :: Developers",
+        "Intended Audience :: Science/Research",
+        "Intended Audience :: End Users/Desktop",
+        "Topic :: Database",
+        "License :: OSI Approved :: Apache Software License",
+        "Programming Language :: Python :: 3.11",
+        "Programming Language :: Python :: 3.10",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.8",
+    ],
+)
diff --git a/tests/conftest.py b/tests/conftest.py
index ad7243c1..159a282f 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -23,10 +23,6 @@ UNDOCUMENTED_PERMISSIONS = {
     "this_is_allowed_async",
     "this_is_denied_async",
     "no_match",
-    # Test actions from test_hook_register_actions_with_custom_resources
-    "manage_documents",
-    "view_document_collection",
-    "view_document",
 }
 
 _ds_client = None
@@ -46,9 +42,7 @@ def wait_until_responds(url, timeout=5.0, client=httpx, **kwargs):
 @pytest_asyncio.fixture
 async def ds_client():
     from datasette.app import Datasette
-    from datasette.database import Database
     from .fixtures import CONFIG, METADATA, PLUGINS_DIR
-    import secrets
 
     global _ds_client
     if _ds_client is not None:
@@ -62,7 +56,6 @@ async def ds_client():
             "default_page_size": 50,
             "max_returned_rows": 100,
             "sql_time_limit_ms": 200,
-            "facet_suggest_time_limit_ms": 200,  # Up from 50 default
             # Default is 3 but this results in "too many open files"
             # errors when running the full test suite:
             "num_sql_threads": 1,
@@ -70,10 +63,7 @@ async def ds_client():
     )
     from .fixtures import TABLES, TABLE_PARAMETERIZED_SQL
 
-    # Use a unique memory_name to avoid collisions between different
-    # Datasette instances in the same process, but use "fixtures" for routing
-    unique_memory_name = f"fixtures_{secrets.token_hex(8)}"
-    db = ds.add_database(Database(ds, memory_name=unique_memory_name), name="fixtures")
+    db = ds.add_memory_database("fixtures")
     ds.remove_database("_memory")
 
     def prepare(conn):
@@ -143,30 +133,32 @@ def restore_working_directory(tmpdir, request):
 
 
 @pytest.fixture(scope="session", autouse=True)
-def check_actions_are_documented():
+def check_permission_actions_are_documented():
     from datasette.plugins import pm
 
     content = (
         pathlib.Path(__file__).parent.parent / "docs" / "authentication.rst"
     ).read_text()
-    permissions_re = re.compile(r"\.\. _actions_([^\s:]+):")
-    documented_actions = set(permissions_re.findall(content)).union(
+    permissions_re = re.compile(r"\.\. _permissions_([^\s:]+):")
+    documented_permission_actions = set(permissions_re.findall(content)).union(
         UNDOCUMENTED_PERMISSIONS
     )
 
     def before(hook_name, hook_impls, kwargs):
-        if hook_name == "permission_resources_sql":
+        if hook_name == "permission_allowed":
             datasette = kwargs["datasette"]
-            assert kwargs["action"] in datasette.actions, (
-                "'{}' has not been registered with register_actions()".format(
+            assert kwargs["action"] in datasette.permissions, (
+                "'{}' has not been registered with register_permissions()".format(
                     kwargs["action"]
                 )
                 + " (or maybe a test forgot to do await ds.invoke_startup())"
             )
             action = kwargs.get("action").replace("-", "_")
             assert (
-                action in documented_actions
-            ), "Undocumented permission action: {}".format(action)
+                action in documented_permission_actions
+            ), "Undocumented permission action: {}, resource: {}".format(
+                action, kwargs["resource"]
+            )
 
     pm.add_hookcall_monitoring(
         before=before, after=lambda outcome, hook_name, hook_impls, kwargs: None
@@ -241,27 +233,3 @@ def ds_unix_domain_socket_server(tmp_path_factory):
     yield ds_proc, uds
     # Shut it down at the end of the pytest session
     ds_proc.terminate()
-
-
-# Import fixtures from fixtures.py to make them available
-from .fixtures import (  # noqa: E402, F401
-    app_client,
-    app_client_base_url_prefix,
-    app_client_conflicting_database_names,
-    app_client_csv_max_mb_one,
-    app_client_immutable_and_inspect_file,
-    app_client_larger_cache_size,
-    app_client_no_files,
-    app_client_returned_rows_matches_page_size,
-    app_client_shorter_time_limit,
-    app_client_two_attached_databases,
-    app_client_two_attached_databases_crossdb_enabled,
-    app_client_two_attached_databases_one_immutable,
-    app_client_with_cors,
-    app_client_with_dot,
-    app_client_with_trace,
-    generate_compound_rows,
-    generate_sortable_rows,
-    make_app_client,
-    TEMP_PLUGIN_SECRET_FILE,
-)
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 8d600c9b..5f65566f 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -44,13 +44,13 @@ EXPECTED_PLUGINS = [
             "forbidden",
             "homepage_actions",
             "menu_links",
-            "permission_resources_sql",
+            "permission_allowed",
             "prepare_connection",
             "prepare_jinja2_environment",
             "query_actions",
-            "register_actions",
             "register_facet_classes",
             "register_magic_parameters",
+            "register_permissions",
             "register_routes",
             "render_cell",
             "row_actions",
@@ -73,6 +73,7 @@ EXPECTED_PLUGINS = [
             "extra_template_vars",
             "handle_exception",
             "menu_links",
+            "permission_allowed",
             "prepare_jinja2_environment",
             "register_routes",
             "render_cell",
@@ -755,41 +756,16 @@ def assert_permissions_checked(datasette, actions):
             resource = None
         else:
             action, resource = action
-
-        # Convert PermissionCheck dataclass to old resource format for comparison
-        def check_matches(pc, action, resource):
-            if pc.action != action:
-                return False
-            # Convert parent/child to old resource format
-            if pc.parent and pc.child:
-                pc_resource = (pc.parent, pc.child)
-            elif pc.parent:
-                pc_resource = pc.parent
-            else:
-                pc_resource = None
-            return pc_resource == resource
-
         assert [
             pc
             for pc in datasette._permission_checks
-            if check_matches(pc, action, resource)
+            if pc["action"] == action and pc["resource"] == resource
         ], """Missing expected permission check: action={}, resource={}
         Permission checks seen: {}
         """.format(
             action,
             resource,
-            json.dumps(
-                [
-                    {
-                        "action": pc.action,
-                        "parent": pc.parent,
-                        "child": pc.child,
-                        "result": pc.result,
-                    }
-                    for pc in datasette._permission_checks
-                ],
-                indent=4,
-            ),
+            json.dumps(list(datasette._permission_checks), indent=4),
         )
 
 
diff --git a/tests/plugins/my_plugin.py b/tests/plugins/my_plugin.py
index 96a8b4d7..2aa57e69 100644
--- a/tests/plugins/my_plugin.py
+++ b/tests/plugins/my_plugin.py
@@ -1,9 +1,7 @@
 import asyncio
-from datasette import hookimpl
+from datasette import hookimpl, Permission
 from datasette.facets import Facet
 from datasette import tracer
-from datasette.permissions import Action
-from datasette.resources import DatabaseResource
 from datasette.utils import path_with_added_args
 from datasette.utils.asgi import asgi_send_json, Response
 import base64
@@ -214,6 +212,29 @@ def asgi_wrapper():
     return wrap
 
 
+@hookimpl
+def permission_allowed(actor, action):
+    if action == "this_is_allowed":
+        return True
+    elif action == "this_is_denied":
+        return False
+    elif action == "view-database-download":
+        return actor.get("can_download") if actor else None
+    # Special permissions for latest.datasette.io demos
+    # See https://github.com/simonw/todomvc-datasette/issues/2
+    actor_id = None
+    if actor:
+        actor_id = actor.get("id")
+    if actor_id == "todomvc" and action in (
+        "insert-row",
+        "create-table",
+        "drop-table",
+        "delete-row",
+        "update-row",
+    ):
+        return True
+
+
 @hookimpl
 def register_routes():
     async def one(datasette):
@@ -452,140 +473,28 @@ def skip_csrf(scope):
 
 
 @hookimpl
-def register_actions(datasette):
-    extras_old = datasette.plugin_config("datasette-register-permissions") or {}
-    extras_new = datasette.plugin_config("datasette-register-actions") or {}
-
-    actions = [
-        Action(
-            name="action-from-plugin",
-            abbr="ap",
-            description="New action added by a plugin",
-            resource_class=DatabaseResource,
-        ),
-        Action(
-            name="view-collection",
-            abbr="vc",
-            description="View a collection",
-            resource_class=DatabaseResource,
-        ),
-        # Test actions for test_hook_custom_allowed (global actions - no resource_class)
-        Action(
-            name="this_is_allowed",
-            abbr=None,
-            description=None,
-        ),
-        Action(
-            name="this_is_denied",
-            abbr=None,
-            description=None,
-        ),
-        Action(
-            name="this_is_allowed_async",
-            abbr=None,
-            description=None,
-        ),
-        Action(
-            name="this_is_denied_async",
-            abbr=None,
-            description=None,
-        ),
+def register_permissions(datasette):
+    extras = datasette.plugin_config("datasette-register-permissions") or {}
+    permissions = [
+        Permission(
+            name="permission-from-plugin",
+            abbr="np",
+            description="New permission added by a plugin",
+            takes_database=True,
+            takes_resource=False,
+            default=False,
+        )
     ]
-
-    # Support old-style config for backwards compatibility
-    if extras_old:
-        for p in extras_old["permissions"]:
-            # Map old takes_database/takes_resource to new global/resource_class
-            if p.get("takes_database"):
-                # Has database -> DatabaseResource
-                actions.append(
-                    Action(
-                        name=p["name"],
-                        abbr=p["abbr"],
-                        description=p["description"],
-                        resource_class=DatabaseResource,
-                    )
-                )
-            else:
-                # No database -> global action (no resource_class)
-                actions.append(
-                    Action(
-                        name=p["name"],
-                        abbr=p["abbr"],
-                        description=p["description"],
-                    )
-                )
-
-    # Support new-style config
-    if extras_new:
-        for a in extras_new["actions"]:
-            # Check if this is a global action (no resource_class specified)
-            if not a.get("resource_class"):
-                actions.append(
-                    Action(
-                        name=a["name"],
-                        abbr=a["abbr"],
-                        description=a["description"],
-                    )
-                )
-            else:
-                # Map string resource_class to actual class
-                resource_class_map = {
-                    "DatabaseResource": DatabaseResource,
-                }
-                resource_class = resource_class_map.get(
-                    a.get("resource_class", "DatabaseResource"), DatabaseResource
-                )
-
-                actions.append(
-                    Action(
-                        name=a["name"],
-                        abbr=a["abbr"],
-                        description=a["description"],
-                        resource_class=resource_class,
-                    )
-                )
-
-    return actions
-
-
-@hookimpl
-def permission_resources_sql(datasette, actor, action):
-    from datasette.permissions import PermissionSQL
-
-    # Handle test actions used in test_hook_custom_allowed
-    if action == "this_is_allowed":
-        return PermissionSQL.allow(reason="test plugin allows this_is_allowed")
-    elif action == "this_is_denied":
-        return PermissionSQL.deny(reason="test plugin denies this_is_denied")
-    elif action == "this_is_allowed_async":
-        return PermissionSQL.allow(reason="test plugin allows this_is_allowed_async")
-    elif action == "this_is_denied_async":
-        return PermissionSQL.deny(reason="test plugin denies this_is_denied_async")
-    elif action == "view-database-download":
-        # Return rule based on actor's can_download permission
-        if actor and actor.get("can_download"):
-            return PermissionSQL.allow(reason="actor has can_download")
-        else:
-            return None  # No opinion
-    elif action == "view-database":
-        # Also grant view-database if actor has can_download (needed for download to work)
-        if actor and actor.get("can_download"):
-            return PermissionSQL.allow(
-                reason="actor has can_download, grants view-database"
+    if extras:
+        permissions.extend(
+            Permission(
+                name=p["name"],
+                abbr=p["abbr"],
+                description=p["description"],
+                takes_database=p["takes_database"],
+                takes_resource=p["takes_resource"],
+                default=p["default"],
             )
-        else:
-            return None
-    elif action in (
-        "insert-row",
-        "create-table",
-        "drop-table",
-        "delete-row",
-        "update-row",
-    ):
-        # Special permissions for latest.datasette.io demos
-        actor_id = actor.get("id") if actor else None
-        if actor_id == "todomvc":
-            return PermissionSQL.allow(reason=f"todomvc actor allowed for {action}")
-
-    return None
+            for p in extras["permissions"]
+        )
+    return permissions
diff --git a/tests/plugins/my_plugin_2.py b/tests/plugins/my_plugin_2.py
index 35775ef9..bb82b8c1 100644
--- a/tests/plugins/my_plugin_2.py
+++ b/tests/plugins/my_plugin_2.py
@@ -113,6 +113,24 @@ def actor_from_request(datasette, request):
     return inner
 
 
+@hookimpl
+def permission_allowed(datasette, actor, action):
+    # Testing asyncio version of permission_allowed
+    async def inner():
+        assert (
+            2
+            == (
+                await datasette.get_internal_database().execute("select 1 + 1")
+            ).first()[0]
+        )
+        if action == "this_is_allowed_async":
+            return True
+        elif action == "this_is_denied_async":
+            return False
+
+    return inner
+
+
 @hookimpl
 def prepare_jinja2_environment(env, datasette):
     env.filters["format_numeric"] = lambda s: f"{float(s):,.0f}"
diff --git a/tests/test_actions_sql.py b/tests/test_actions_sql.py
deleted file mode 100644
index 863d2529..00000000
--- a/tests/test_actions_sql.py
+++ /dev/null
@@ -1,316 +0,0 @@
-"""
-Tests for the new Resource-based permission system.
-
-These tests verify:
-1. The new Datasette.allowed_resources() method (with pagination)
-2. The new Datasette.allowed() method
-3. The include_reasons parameter for debugging
-4. That SQL does the heavy lifting (no Python filtering)
-"""
-
-import pytest
-import pytest_asyncio
-from datasette.app import Datasette
-from datasette.permissions import PermissionSQL
-from datasette.resources import TableResource
-from datasette import hookimpl
-
-
-# Test plugin that provides permission rules
-class PermissionRulesPlugin:
-    def __init__(self, rules_callback):
-        self.rules_callback = rules_callback
-
-    @hookimpl
-    def permission_resources_sql(self, datasette, actor, action):
-        """Return permission rules based on the callback"""
-        return self.rules_callback(datasette, actor, action)
-
-
-@pytest_asyncio.fixture
-async def test_ds():
-    """Create a test Datasette instance with sample data"""
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add test databases with some tables
-    db = ds.add_memory_database("analytics")
-    await db.execute_write("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY)")
-    await db.execute_write("CREATE TABLE IF NOT EXISTS events (id INTEGER PRIMARY KEY)")
-    await db.execute_write(
-        "CREATE TABLE IF NOT EXISTS sensitive (id INTEGER PRIMARY KEY)"
-    )
-
-    db2 = ds.add_memory_database("production")
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS customers (id INTEGER PRIMARY KEY)"
-    )
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS orders (id INTEGER PRIMARY KEY)"
-    )
-
-    # Refresh schemas to populate catalog_tables in internal database
-    await ds._refresh_schemas()
-
-    return ds
-
-
-@pytest.mark.asyncio
-async def test_allowed_resources_global_allow(test_ds):
-    """Test allowed_resources() with a global allow rule"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "alice":
-            sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'global: alice has access' AS reason"
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        # Use the new allowed_resources() method
-        result = await test_ds.allowed_resources("view-table", {"id": "alice"})
-        tables = result.resources
-
-        # Alice should see all tables
-        assert len(tables) == 5
-        assert all(isinstance(t, TableResource) for t in tables)
-
-        # Check specific tables are present
-        table_set = set((t.parent, t.child) for t in tables)
-        assert ("analytics", "events") in table_set
-        assert ("analytics", "users") in table_set
-        assert ("analytics", "sensitive") in table_set
-        assert ("production", "customers") in table_set
-        assert ("production", "orders") in table_set
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_allowed_specific_resource(test_ds):
-    """Test allowed() method checks specific resource efficiently"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("role") == "analyst":
-            # Allow analytics database, deny everything else (global deny)
-            sql = """
-                SELECT NULL AS parent, NULL AS child, 0 AS allow, 'global deny' AS reason
-                UNION ALL
-                SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'analyst access' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        actor = {"id": "bob", "role": "analyst"}
-
-        # Check specific resources using allowed()
-        # This should use SQL WHERE clause, not fetch all resources
-        assert await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "users"),
-            actor=actor,
-        )
-        assert await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "events"),
-            actor=actor,
-        )
-        assert not await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("production", "orders"),
-            actor=actor,
-        )
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_allowed_resources_include_reasons(test_ds):
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("role") == "analyst":
-            sql = """
-                SELECT 'analytics' AS parent, NULL AS child, 1 AS allow,
-                       'parent: analyst access to analytics' AS reason
-                UNION ALL
-                SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow,
-                       'child: sensitive data denied' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        # Use allowed_resources with include_reasons to get debugging info
-        result = await test_ds.allowed_resources(
-            "view-table", {"id": "bob", "role": "analyst"}, include_reasons=True
-        )
-        allowed = result.resources
-
-        # Should get analytics tables except sensitive
-        assert len(allowed) >= 2  # At least users and events
-
-        # Check we can access both resource and reason
-        for resource in allowed:
-            assert isinstance(resource, TableResource)
-            assert isinstance(resource.reasons, list)
-            if resource.parent == "analytics":
-                # Should mention parent-level reason in at least one of the reasons
-                reasons_text = " ".join(resource.reasons).lower()
-                assert "analyst access" in reasons_text
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_child_deny_overrides_parent_allow(test_ds):
-    """Test that child-level DENY beats parent-level ALLOW"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("role") == "analyst":
-            sql = """
-                SELECT 'analytics' AS parent, NULL AS child, 1 AS allow,
-                       'parent: allow analytics' AS reason
-                UNION ALL
-                SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow,
-                       'child: deny sensitive' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        actor = {"id": "bob", "role": "analyst"}
-        result = await test_ds.allowed_resources("view-table", actor)
-        tables = result.resources
-
-        # Should see analytics tables except sensitive
-        analytics_tables = [t for t in tables if t.parent == "analytics"]
-        assert len(analytics_tables) >= 2
-
-        table_names = {t.child for t in analytics_tables}
-        assert "users" in table_names
-        assert "events" in table_names
-        assert "sensitive" not in table_names
-
-        # Verify with allowed() method
-        assert await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "users"),
-            actor=actor,
-        )
-        assert not await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "sensitive"),
-            actor=actor,
-        )
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_child_allow_overrides_parent_deny(test_ds):
-    """Test that child-level ALLOW beats parent-level DENY"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "carol":
-            sql = """
-                SELECT 'production' AS parent, NULL AS child, 0 AS allow,
-                       'parent: deny production' AS reason
-                UNION ALL
-                SELECT 'production' AS parent, 'orders' AS child, 1 AS allow,
-                       'child: carol can see orders' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        actor = {"id": "carol"}
-        result = await test_ds.allowed_resources("view-table", actor)
-        tables = result.resources
-
-        # Should only see production.orders
-        production_tables = [t for t in tables if t.parent == "production"]
-        assert len(production_tables) == 1
-        assert production_tables[0].child == "orders"
-
-        # Verify with allowed() method
-        assert await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("production", "orders"),
-            actor=actor,
-        )
-        assert not await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("production", "customers"),
-            actor=actor,
-        )
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_sql_does_filtering_not_python(test_ds):
-    """
-    Verify that allowed() uses SQL WHERE clause, not Python filtering.
-
-    This test doesn't actually verify the SQL itself (that would require
-    query introspection), but it demonstrates the API contract.
-    """
-
-    def rules_callback(datasette, actor, action):
-        # Deny everything by default, allow only analytics.users specifically
-        sql = """
-            SELECT NULL AS parent, NULL AS child, 0 AS allow,
-                   'global deny' AS reason
-            UNION ALL
-            SELECT 'analytics' AS parent, 'users' AS child, 1 AS allow,
-                   'specific allow' AS reason
-        """
-        return PermissionSQL(sql=sql)
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        actor = {"id": "dave"}
-
-        # allowed() should execute a targeted SQL query
-        # NOT fetch all resources and filter in Python
-        assert await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "users"),
-            actor=actor,
-        )
-        assert not await test_ds.allowed(
-            action="view-table",
-            resource=TableResource("analytics", "events"),
-            actor=actor,
-        )
-
-        # allowed_resources() should also use SQL filtering
-        result = await test_ds.allowed_resources("view-table", actor)
-        tables = result.resources
-        assert len(tables) == 1
-        assert tables[0].parent == "analytics"
-        assert tables[0].child == "users"
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
diff --git a/tests/test_actor_restriction_bug.py b/tests/test_actor_restriction_bug.py
deleted file mode 100644
index 0bfc9e1e..00000000
--- a/tests/test_actor_restriction_bug.py
+++ /dev/null
@@ -1,133 +0,0 @@
-"""
-Test for actor restrictions bug with database-level config.
-
-This test currently FAILS, demonstrating the bug where database-level
-config allow blocks can bypass table-level restrictions.
-"""
-
-import pytest
-from datasette.app import Datasette
-from datasette.resources import TableResource
-
-
-@pytest.mark.asyncio
-async def test_table_restrictions_not_bypassed_by_database_level_config():
-    """
-    Actor restrictions should act as hard limits that config cannot override.
-
-    BUG: When an actor has table-level restrictions (e.g., only table2 and table3)
-    but config has a database-level allow block, the database-level config rule
-    currently allows ALL tables, not just those in the restriction allowlist.
-
-    This test documents the expected behavior and will FAIL until the bug is fixed.
-    """
-    # Config grants access at DATABASE level (not table level)
-    config = {
-        "databases": {
-            "test_db_rnbbdlc": {
-                "allow": {
-                    "id": "user"
-                }  # Database-level allow - grants access to all tables
-            }
-        }
-    }
-
-    ds = Datasette(config=config)
-    await ds.invoke_startup()
-    db = ds.add_memory_database("test_db_rnbbdlc")
-    await db.execute_write("create table table1 (id integer primary key)")
-    await db.execute_write("create table table2 (id integer primary key)")
-    await db.execute_write("create table table3 (id integer primary key)")
-    await db.execute_write("create table table4 (id integer primary key)")
-
-    # Actor restricted to ONLY table2 and table3
-    # Even though config allows the whole database, restrictions should limit access
-    actor = {
-        "id": "user",
-        "_r": {
-            "r": {  # Resource-level (table-level) restrictions
-                "test_db_rnbbdlc": {
-                    "table2": ["vt"],  # vt = view-table abbreviation
-                    "table3": ["vt"],
-                }
-            }
-        },
-    }
-
-    # table2 should be allowed (in restriction allowlist AND config allows)
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rnbbdlc", "table2"),
-        actor=actor,
-    )
-    assert result is True, "table2 should be allowed - in restriction allowlist"
-
-    # table3 should be allowed (in restriction allowlist AND config allows)
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rnbbdlc", "table3"),
-        actor=actor,
-    )
-    assert result is True, "table3 should be allowed - in restriction allowlist"
-
-    # table1 should be DENIED (NOT in restriction allowlist)
-    # Even though database-level config allows it, restrictions should deny it
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rnbbdlc", "table1"),
-        actor=actor,
-    )
-    assert (
-        result is False
-    ), "table1 should be DENIED - not in restriction allowlist, config cannot override"
-
-    # table4 should be DENIED (NOT in restriction allowlist)
-    # Even though database-level config allows it, restrictions should deny it
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rnbbdlc", "table4"),
-        actor=actor,
-    )
-    assert (
-        result is False
-    ), "table4 should be DENIED - not in restriction allowlist, config cannot override"
-
-
-@pytest.mark.asyncio
-async def test_database_restrictions_with_database_level_config():
-    """
-    Verify that database-level restrictions work correctly with database-level config.
-
-    This should pass - it's testing the case where restriction granularity
-    matches config granularity.
-    """
-    config = {
-        "databases": {"test_db_rwdl": {"allow": {"id": "user"}}}  # Database-level allow
-    }
-
-    ds = Datasette(config=config)
-    await ds.invoke_startup()
-    db = ds.add_memory_database("test_db_rwdl")
-    await db.execute_write("create table table1 (id integer primary key)")
-    await db.execute_write("create table table2 (id integer primary key)")
-
-    # Actor has database-level restriction (all tables in test_db_rwdl)
-    actor = {
-        "id": "user",
-        "_r": {"d": {"test_db_rwdl": ["vt"]}},  # Database-level restrictions
-    }
-
-    # Both tables should be allowed (database-level restriction matches database-level config)
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rwdl", "table1"),
-        actor=actor,
-    )
-    assert result is True, "table1 should be allowed"
-
-    result = await ds.allowed(
-        action="view-table",
-        resource=TableResource("test_db_rwdl", "table2"),
-        actor=actor,
-    )
-    assert result is True, "table2 should be allowed"
diff --git a/tests/test_allowed_resources.py b/tests/test_allowed_resources.py
deleted file mode 100644
index 0cd48ea9..00000000
--- a/tests/test_allowed_resources.py
+++ /dev/null
@@ -1,593 +0,0 @@
-"""
-Tests for the allowed_resources() API.
-
-These tests verify that the allowed_resources() API correctly filters resources
-based on permission rules from plugins and configuration.
-"""
-
-import pytest
-import pytest_asyncio
-from datasette.app import Datasette
-from datasette.permissions import PermissionSQL
-from datasette import hookimpl
-
-
-# Test plugin that provides permission rules
-class PermissionRulesPlugin:
-    def __init__(self, rules_callback):
-        self.rules_callback = rules_callback
-
-    @hookimpl
-    def permission_resources_sql(self, datasette, actor, action):
-        return self.rules_callback(datasette, actor, action)
-
-
-@pytest_asyncio.fixture(scope="function")
-async def test_ds():
-    """Create a test Datasette instance with sample data (fresh for each test)"""
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add test databases with some tables
-    db = ds.add_memory_database("analytics")
-    await db.execute_write("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY)")
-    await db.execute_write("CREATE TABLE IF NOT EXISTS events (id INTEGER PRIMARY KEY)")
-    await db.execute_write(
-        "CREATE TABLE IF NOT EXISTS sensitive (id INTEGER PRIMARY KEY)"
-    )
-
-    db2 = ds.add_memory_database("production")
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS customers (id INTEGER PRIMARY KEY)"
-    )
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS orders (id INTEGER PRIMARY KEY)"
-    )
-
-    # Refresh schemas to populate catalog_tables in internal database
-    await ds._refresh_schemas()
-
-    return ds
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_global_access(test_ds):
-    """Test /-/tables with global access permissions"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "alice":
-            sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'global: alice has access' AS reason"
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        # Use the allowed_resources API directly
-        page = await test_ds.allowed_resources("view-table", {"id": "alice"})
-
-        # Convert to the format the endpoint returns
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        # Alice should see all tables
-        assert len(result) == 5
-        table_names = {m["name"] for m in result}
-        assert "analytics/events" in table_names
-        assert "analytics/users" in table_names
-        assert "analytics/sensitive" in table_names
-        assert "production/customers" in table_names
-        assert "production/orders" in table_names
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_database_restriction(test_ds):
-    """Test /-/tables with database-level restriction"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("role") == "analyst":
-            # Allow only analytics database
-            sql = "SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'analyst access' AS reason"
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        page = await test_ds.allowed_resources(
-            "view-table", {"id": "bob", "role": "analyst"}
-        )
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        # Bob should only see analytics tables
-        analytics_tables = [m for m in result if m["name"].startswith("analytics/")]
-        production_tables = [m for m in result if m["name"].startswith("production/")]
-
-        assert len(analytics_tables) == 3
-        table_names = {m["name"] for m in analytics_tables}
-        assert "analytics/events" in table_names
-        assert "analytics/users" in table_names
-        assert "analytics/sensitive" in table_names
-
-        # Should not see production tables (unless default_permissions allows them)
-        # Note: default_permissions.py provides default allows, so we just check analytics are present
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_table_exception(test_ds):
-    """Test /-/tables with table-level exception (deny database, allow specific table)"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "carol":
-            # Deny analytics database, but allow analytics.users specifically
-            sql = """
-                SELECT 'analytics' AS parent, NULL AS child, 0 AS allow, 'deny analytics' AS reason
-                UNION ALL
-                SELECT 'analytics' AS parent, 'users' AS child, 1 AS allow, 'carol exception' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        page = await test_ds.allowed_resources("view-table", {"id": "carol"})
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        # Carol should see analytics.users but not other analytics tables
-        analytics_tables = [m for m in result if m["name"].startswith("analytics/")]
-        assert len(analytics_tables) == 1
-        table_names = {m["name"] for m in analytics_tables}
-        assert "analytics/users" in table_names
-
-        # Should NOT see analytics.events or analytics.sensitive
-        assert "analytics/events" not in table_names
-        assert "analytics/sensitive" not in table_names
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_deny_overrides_allow(test_ds):
-    """Test that child-level DENY beats parent-level ALLOW"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("role") == "analyst":
-            # Allow analytics, but deny sensitive table
-            sql = """
-                SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'allow analytics' AS reason
-                UNION ALL
-                SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow, 'deny sensitive' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        page = await test_ds.allowed_resources(
-            "view-table", {"id": "bob", "role": "analyst"}
-        )
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        analytics_tables = [m for m in result if m["name"].startswith("analytics/")]
-
-        # Should see users and events but NOT sensitive
-        table_names = {m["name"] for m in analytics_tables}
-        assert "analytics/users" in table_names
-        assert "analytics/events" in table_names
-        assert "analytics/sensitive" not in table_names
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_no_permissions():
-    """Test /-/tables when user has no custom permissions (only defaults)"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add a single database
-    db = ds.add_memory_database("testdb")
-    await db.execute_write("CREATE TABLE items (id INTEGER PRIMARY KEY)")
-    await ds._refresh_schemas()
-
-    # Unknown actor with no custom permissions
-    page = await ds.allowed_resources("view-table", {"id": "unknown"})
-    result = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Should see tables (due to default_permissions.py providing default allow)
-    assert len(result) >= 1
-    assert any(m["name"].endswith("/items") for m in result)
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_specific_table_only(test_ds):
-    """Test /-/tables when only specific tables are allowed (no parent/global rules)"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "dave":
-            # Allow only specific tables, no parent-level or global rules
-            sql = """
-                SELECT 'analytics' AS parent, 'users' AS child, 1 AS allow, 'specific table 1' AS reason
-                UNION ALL
-                SELECT 'production' AS parent, 'orders' AS child, 1 AS allow, 'specific table 2' AS reason
-            """
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        page = await test_ds.allowed_resources("view-table", {"id": "dave"})
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        # Should see only the two specifically allowed tables
-        specific_tables = [
-            m for m in result if m["name"] in ("analytics/users", "production/orders")
-        ]
-
-        assert len(specific_tables) == 2
-        table_names = {m["name"] for m in specific_tables}
-        assert "analytics/users" in table_names
-        assert "production/orders" in table_names
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_empty_result(test_ds):
-    """Test /-/tables when all tables are explicitly denied"""
-
-    def rules_callback(datasette, actor, action):
-        if actor and actor.get("id") == "blocked":
-            # Global deny
-            sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'global deny' AS reason"
-            return PermissionSQL(sql=sql)
-        return None
-
-    plugin = PermissionRulesPlugin(rules_callback)
-    test_ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        page = await test_ds.allowed_resources("view-table", {"id": "blocked"})
-        result = [
-            {
-                "name": f"{t.parent}/{t.child}",
-                "url": test_ds.urls.table(t.parent, t.child),
-            }
-            for t in page.resources
-        ]
-
-        # Global deny should block access to all tables
-        assert len(result) == 0
-
-    finally:
-        test_ds.pm.unregister(plugin, name="test_plugin")
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_no_query_returns_all():
-    """Test /-/tables without query parameter returns all tables"""
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with a few tables
-    db = ds.add_memory_database("test_db")
-    await db.execute_write("CREATE TABLE users (id INTEGER)")
-    await db.execute_write("CREATE TABLE posts (id INTEGER)")
-    await db.execute_write("CREATE TABLE comments (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables without query
-    page = await ds.allowed_resources("view-table", None)
-
-    # Should return all tables with truncated: false
-    assert len(page.resources) >= 3
-    table_names = {f"{t.parent}/{t.child}" for t in page.resources}
-    assert "test_db/users" in table_names
-    assert "test_db/posts" in table_names
-    assert "test_db/comments" in table_names
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_truncation():
-    """Test /-/tables truncates at 100 tables and sets truncated flag"""
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Create a database with 105 tables
-    db = ds.add_memory_database("big_db")
-    for i in range(105):
-        await db.execute_write(f"CREATE TABLE table_{i:03d} (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables - should be paginated with limit=100 by default
-    page = await ds.allowed_resources("view-table", None)
-    big_db_tables = [t for t in page.resources if t.parent == "big_db"]
-
-    # Should have exactly 100 tables in first page (default limit)
-    assert len(big_db_tables) == 100
-    assert page.next is not None  # More results available
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_search_single_term():
-    """Test /-/tables?q=user to filter tables matching 'user'"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with various table names
-    db = ds.add_memory_database("search_test")
-    await db.execute_write("CREATE TABLE users (id INTEGER)")
-    await db.execute_write("CREATE TABLE user_profiles (id INTEGER)")
-    await db.execute_write("CREATE TABLE events (id INTEGER)")
-    await db.execute_write("CREATE TABLE posts (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables in the new format
-    page = await ds.allowed_resources("view-table", None)
-    matches = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Filter for "user" (extract table name from "db/table")
-    import re
-
-    pattern = ".*user.*"
-    regex = re.compile(pattern, re.IGNORECASE)
-    filtered = [m for m in matches if regex.match(m["name"].split("/", 1)[1])]
-
-    # Should match users and user_profiles but not events or posts
-    table_names = {m["name"].split("/", 1)[1] for m in filtered}
-    assert "users" in table_names
-    assert "user_profiles" in table_names
-    assert "events" not in table_names
-    assert "posts" not in table_names
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_search_multiple_terms():
-    """Test /-/tables?q=user+profile to filter tables matching .*user.*profile.*"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with various table names
-    db = ds.add_memory_database("search_test2")
-    await db.execute_write("CREATE TABLE user_profiles (id INTEGER)")
-    await db.execute_write("CREATE TABLE users (id INTEGER)")
-    await db.execute_write("CREATE TABLE profile_settings (id INTEGER)")
-    await db.execute_write("CREATE TABLE events (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables in the new format
-    page = await ds.allowed_resources("view-table", None)
-    matches = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Filter for "user profile" (two terms, extract table name from "db/table")
-    import re
-
-    terms = ["user", "profile"]
-    pattern = ".*" + ".*".join(re.escape(term) for term in terms) + ".*"
-    regex = re.compile(pattern, re.IGNORECASE)
-    filtered = [m for m in matches if regex.match(m["name"].split("/", 1)[1])]
-
-    # Should match only user_profiles (has both user and profile in that order)
-    table_names = {m["name"].split("/", 1)[1] for m in filtered}
-    assert "user_profiles" in table_names
-    assert "users" not in table_names  # doesn't have "profile"
-    assert "profile_settings" not in table_names  # doesn't have "user"
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_search_ordering():
-    """Test that search results are ordered by shortest name first"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with tables of various lengths containing "user"
-    db = ds.add_memory_database("order_test")
-    await db.execute_write("CREATE TABLE users (id INTEGER)")
-    await db.execute_write("CREATE TABLE user_profiles (id INTEGER)")
-    await db.execute_write(
-        "CREATE TABLE u (id INTEGER)"
-    )  # Shortest, but doesn't match "user"
-    await db.execute_write(
-        "CREATE TABLE user_authentication_tokens (id INTEGER)"
-    )  # Longest
-    await db.execute_write("CREATE TABLE user_data (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables in the new format
-    page = await ds.allowed_resources("view-table", None)
-    matches = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Filter for "user" and sort by table name length
-    import re
-
-    pattern = ".*user.*"
-    regex = re.compile(pattern, re.IGNORECASE)
-    filtered = [m for m in matches if regex.match(m["name"].split("/", 1)[1])]
-    filtered.sort(key=lambda m: len(m["name"].split("/", 1)[1]))
-
-    # Should be ordered: users, user_data, user_profiles, user_authentication_tokens
-    matching_names = [m["name"].split("/", 1)[1] for m in filtered]
-    assert matching_names[0] == "users"  # shortest
-    assert len(matching_names[0]) < len(matching_names[1])
-    assert len(matching_names[-1]) > len(matching_names[-2])
-    assert matching_names[-1] == "user_authentication_tokens"  # longest
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_search_case_insensitive():
-    """Test that search is case-insensitive"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with mixed case table names
-    db = ds.add_memory_database("case_test")
-    await db.execute_write("CREATE TABLE Users (id INTEGER)")
-    await db.execute_write("CREATE TABLE USER_PROFILES (id INTEGER)")
-    await db.execute_write("CREATE TABLE user_data (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables in the new format
-    page = await ds.allowed_resources("view-table", None)
-    matches = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Filter for "user" (lowercase) should match all case variants
-    import re
-
-    pattern = ".*user.*"
-    regex = re.compile(pattern, re.IGNORECASE)
-    filtered = [m for m in matches if regex.match(m["name"].split("/", 1)[1])]
-
-    # Should match all three tables regardless of case
-    table_names = {m["name"].split("/", 1)[1] for m in filtered}
-    assert "Users" in table_names
-    assert "USER_PROFILES" in table_names
-    assert "user_data" in table_names
-    assert len(filtered) >= 3
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_search_no_matches():
-    """Test search with no matching tables returns empty list"""
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Add database with tables that won't match search
-    db = ds.add_memory_database("nomatch_test")
-    await db.execute_write("CREATE TABLE events (id INTEGER)")
-    await db.execute_write("CREATE TABLE posts (id INTEGER)")
-    await ds._refresh_schemas()
-
-    # Get all tables in the new format
-    page = await ds.allowed_resources("view-table", None)
-    matches = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in page.resources
-    ]
-
-    # Filter for "zzz" which doesn't exist
-    import re
-
-    pattern = ".*zzz.*"
-    regex = re.compile(pattern, re.IGNORECASE)
-    filtered = [m for m in matches if regex.match(m["name"].split("/", 1)[1])]
-
-    # Should return empty list
-    assert len(filtered) == 0
-
-
-@pytest.mark.asyncio
-async def test_tables_endpoint_config_database_allow():
-    """Test that database-level allow blocks work for view-table action"""
-
-    # Simulate: -s databases.restricted_db.allow.id root
-    config = {"databases": {"restricted_db": {"allow": {"id": "root"}}}}
-
-    ds = Datasette(config=config)
-    await ds.invoke_startup()
-
-    # Create databases
-    restricted_db = ds.add_memory_database("restricted_db")
-    await restricted_db.execute_write("CREATE TABLE users (id INTEGER)")
-    await restricted_db.execute_write("CREATE TABLE posts (id INTEGER)")
-
-    public_db = ds.add_memory_database("public_db")
-    await public_db.execute_write("CREATE TABLE articles (id INTEGER)")
-
-    await ds._refresh_schemas()
-
-    # Root user should see restricted_db tables
-    root_page = await ds.allowed_resources("view-table", {"id": "root"})
-    root_list = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in root_page.resources
-    ]
-    restricted_tables_root = [
-        m for m in root_list if m["name"].startswith("restricted_db/")
-    ]
-    assert len(restricted_tables_root) == 2
-    table_names = {m["name"] for m in restricted_tables_root}
-    assert "restricted_db/users" in table_names
-    assert "restricted_db/posts" in table_names
-
-    # Alice should NOT see restricted_db tables
-    alice_page = await ds.allowed_resources("view-table", {"id": "alice"})
-    alice_list = [
-        {"name": f"{t.parent}/{t.child}", "url": ds.urls.table(t.parent, t.child)}
-        for t in alice_page.resources
-    ]
-    restricted_tables_alice = [
-        m for m in alice_list if m["name"].startswith("restricted_db/")
-    ]
-    assert len(restricted_tables_alice) == 0
-
-    # But Alice should see public_db tables (no restrictions)
-    public_tables_alice = [m for m in alice_list if m["name"].startswith("public_db/")]
-    assert len(public_tables_alice) == 1
-    assert "public_db/articles" in {m["name"] for m in public_tables_alice}
diff --git a/tests/test_api.py b/tests/test_api.py
index 859c5809..84b33a09 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,5 +1,6 @@
 from datasette.app import Datasette
 from datasette.plugins import DEFAULT_PLUGINS
+from datasette.utils.sqlite import supports_table_xinfo
 from datasette.version import __version__
 from .fixtures import (  # noqa
     app_client,
@@ -833,41 +834,6 @@ async def test_versions_json(ds_client):
     assert data["sqlite"]["extensions"]["json1"]
 
 
-@pytest.mark.asyncio
-async def test_actions_json(ds_client):
-    original_root_enabled = ds_client.ds.root_enabled
-    try:
-        ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions.json", cookies=cookies)
-        data = response.json()
-    finally:
-        ds_client.ds.root_enabled = original_root_enabled
-    assert isinstance(data, list)
-    assert len(data) > 0
-    # Check structure of first action
-    action = data[0]
-    for key in (
-        "name",
-        "abbr",
-        "description",
-        "takes_parent",
-        "takes_child",
-        "resource_class",
-        "also_requires",
-    ):
-        assert key in action
-    # Check that some expected actions exist
-    action_names = {a["name"] for a in data}
-    for expected_action in (
-        "view-instance",
-        "view-database",
-        "view-table",
-        "execute-sql",
-    ):
-        assert expected_action in action_names
-
-
 @pytest.mark.asyncio
 async def test_settings_json(ds_client):
     response = await ds_client.get("/-/settings.json")
@@ -875,7 +841,7 @@ async def test_settings_json(ds_client):
         "default_page_size": 50,
         "default_facet_size": 30,
         "default_allow_sql": True,
-        "facet_suggest_time_limit_ms": 200,
+        "facet_suggest_time_limit_ms": 50,
         "facet_time_limit_ms": 200,
         "max_returned_rows": 100,
         "max_insert_rows": 100,
diff --git a/tests/test_api_write.py b/tests/test_api_write.py
index 3a76e655..04e61261 100644
--- a/tests/test_api_write.py
+++ b/tests/test_api_write.py
@@ -18,7 +18,6 @@ def ds_write(tmp_path_factory):
             "create table docs (id integer primary key, title text, score float, age integer)"
         )
     ds = Datasette([db_path], immutables=[db_path_immutable])
-    ds.root_enabled = True
     yield ds
     db.close()
 
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 1e1cd622..e9ba5b1c 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -1,12 +1,9 @@
 from bs4 import BeautifulSoup as Soup
+from .fixtures import app_client
 from .utils import cookie_was_deleted, last_event
 from click.testing import CliRunner
 from datasette.utils import baseconv
 from datasette.cli import cli
-from datasette.resources import (
-    DatabaseResource,
-    TableResource,
-)
 import pytest
 import time
 
@@ -340,154 +337,3 @@ def test_cli_create_token(app_client, expires):
     else:
         expected_actor = None
     assert response.json == {"actor": expected_actor}
-
-
-@pytest.mark.asyncio
-async def test_root_with_root_enabled_gets_all_permissions(ds_client):
-    """Root user with root_enabled=True gets all permissions"""
-    # Ensure catalog tables are populated
-    await ds_client.ds.invoke_startup()
-    await ds_client.ds._refresh_schemas()
-
-    # Set root_enabled to simulate --root flag
-    ds_client.ds.root_enabled = True
-
-    root_actor = {"id": "root"}
-
-    # Test instance-level permissions (no resource)
-    assert (
-        await ds_client.ds.allowed(action="permissions-debug", actor=root_actor) is True
-    )
-    assert await ds_client.ds.allowed(action="debug-menu", actor=root_actor) is True
-
-    # Test view permissions using the new ds.allowed() method
-    assert await ds_client.ds.allowed(action="view-instance", actor=root_actor) is True
-
-    assert (
-        await ds_client.ds.allowed(
-            action="view-database",
-            resource=DatabaseResource("fixtures"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="view-table",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    # Test write permissions using ds.allowed()
-    assert (
-        await ds_client.ds.allowed(
-            action="insert-row",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="delete-row",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="update-row",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="create-table",
-            resource=DatabaseResource("fixtures"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="alter-table",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-    assert (
-        await ds_client.ds.allowed(
-            action="drop-table",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is True
-    )
-
-
-@pytest.mark.asyncio
-async def test_root_without_root_enabled_no_special_permissions(ds_client):
-    """Root user without root_enabled doesn't get automatic permissions"""
-    # Ensure catalog tables are populated
-    await ds_client.ds.invoke_startup()
-    await ds_client.ds._refresh_schemas()
-
-    # Ensure root_enabled is NOT set (or is False)
-    ds_client.ds.root_enabled = False
-
-    root_actor = {"id": "root"}
-
-    # Test permissions that normally require special access
-    # Without root_enabled, root should follow normal permission rules
-
-    # View permissions should still work (default=True)
-    assert (
-        await ds_client.ds.allowed(action="view-instance", actor=root_actor) is True
-    )  # Default permission
-
-    assert (
-        await ds_client.ds.allowed(
-            action="view-database",
-            resource=DatabaseResource("fixtures"),
-            actor=root_actor,
-        )
-        is True
-    )  # Default permission
-
-    # But restricted permissions should NOT automatically be granted
-    # Test with instance-level permission (no resource class)
-    result = await ds_client.ds.allowed(action="permissions-debug", actor=root_actor)
-    assert (
-        result is not True
-    ), "Root without root_enabled should not automatically get permissions-debug"
-
-    # Test with resource-based permissions using ds.allowed()
-    assert (
-        await ds_client.ds.allowed(
-            action="create-table",
-            resource=DatabaseResource("fixtures"),
-            actor=root_actor,
-        )
-        is not True
-    ), "Root without root_enabled should not automatically get create-table"
-
-    assert (
-        await ds_client.ds.allowed(
-            action="drop-table",
-            resource=TableResource("fixtures", "facetable"),
-            actor=root_actor,
-        )
-        is not True
-    ), "Root without root_enabled should not automatically get drop-table"
diff --git a/tests/test_black.py b/tests/test_black.py
new file mode 100644
index 00000000..ccf51171
--- /dev/null
+++ b/tests/test_black.py
@@ -0,0 +1,11 @@
+import black
+from click.testing import CliRunner
+from pathlib import Path
+
+code_root = Path(__file__).parent.parent
+
+
+def test_black():
+    runner = CliRunner()
+    result = runner.invoke(black.main, [str(code_root), "--check"])
+    assert result.exit_code == 0, result.output
diff --git a/tests/test_canned_queries.py b/tests/test_canned_queries.py
index ed6202a4..c84c8cdb 100644
--- a/tests/test_canned_queries.py
+++ b/tests/test_canned_queries.py
@@ -2,7 +2,7 @@ from bs4 import BeautifulSoup as Soup
 import json
 import pytest
 import re
-from .fixtures import make_app_client
+from .fixtures import make_app_client, app_client
 
 
 @pytest.fixture
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 21b86569..17f7c1f9 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -1,4 +1,5 @@
 from .fixtures import (
+    app_client,
     make_app_client,
     TestClient as _TestClient,
     EXPECTED_PLUGINS,
@@ -142,12 +143,10 @@ def test_metadata_yaml():
         settings=[],
         secret=None,
         root=False,
-        default_deny=False,
         token=None,
         actor=None,
         version_note=None,
         get=None,
-        headers=False,
         help_settings=False,
         pdb=False,
         crossdb=False,
@@ -308,57 +307,7 @@ def test_setting_type_validation():
     runner = CliRunner()
     result = runner.invoke(cli, ["--setting", "default_page_size", "dog"])
     assert result.exit_code == 2
-    assert '"settings.default_page_size" should be an integer' in result.output
-
-
-def test_setting_boolean_validation_invalid():
-    """Test that invalid boolean values are rejected"""
-    runner = CliRunner()
-    result = runner.invoke(
-        cli, ["--setting", "default_allow_sql", "invalid", "--get", "/-/settings.json"]
-    )
-    assert result.exit_code == 2
-    assert (
-        '"settings.default_allow_sql" should be on/off/true/false/1/0' in result.output
-    )
-
-
-@pytest.mark.parametrize("value", ("off", "false", "0"))
-def test_setting_boolean_validation_false_values(value):
-    """Test that 'off', 'false', '0' work for boolean settings"""
-    runner = CliRunner()
-    result = runner.invoke(
-        cli,
-        [
-            "--setting",
-            "default_allow_sql",
-            value,
-            "--get",
-            "/_memory/-/query.json?sql=select+1",
-        ],
-    )
-    # Should be forbidden (setting is false)
-    assert result.exit_code == 1, result.output
-    assert "Forbidden" in result.output
-
-
-@pytest.mark.parametrize("value", ("on", "true", "1"))
-def test_setting_boolean_validation_true_values(value):
-    """Test that 'on', 'true', '1' work for boolean settings"""
-    runner = CliRunner()
-    result = runner.invoke(
-        cli,
-        [
-            "--setting",
-            "default_allow_sql",
-            value,
-            "--get",
-            "/_memory/-/query.json?sql=select+1&_shape=objects",
-        ],
-    )
-    # Should succeed (setting is true)
-    assert result.exit_code == 0, result.output
-    assert json.loads(result.output)["rows"][0] == {"1": 1}
+    assert '"settings.default_page_size" should be an integer' in result.stderr
 
 
 @pytest.mark.parametrize("default_allow_sql", (True, False))
@@ -449,6 +398,17 @@ def test_serve_duplicate_database_names(tmpdir):
     assert {db["name"] for db in databases} == {"db", "db_2"}
 
 
+def test_serve_deduplicate_same_database_path(tmpdir):
+    "'datasette db.db db.db' should only attach one database, /db"
+    runner = CliRunner()
+    db_path = str(tmpdir / "db.db")
+    sqlite3.connect(db_path).execute("vacuum")
+    result = runner.invoke(cli, [db_path, db_path, "--get", "/-/databases.json"])
+    assert result.exit_code == 0, result.output
+    databases = json.loads(result.output)
+    assert {db["name"] for db in databases} == {"db"}
+
+
 @pytest.mark.parametrize(
     "filename", ["test-database (1).sqlite", "database (1).sqlite"]
 )
@@ -487,57 +447,3 @@ def test_internal_db(tmpdir):
     )
     assert result.exit_code == 0
     assert internal_path.exists()
-
-
-def test_duplicate_database_files_error(tmpdir):
-    """Test that passing the same database file multiple times raises an error"""
-    runner = CliRunner()
-    db_path = str(tmpdir / "test.db")
-    sqlite3.connect(db_path).execute("vacuum")
-
-    # Test with exact duplicate
-    result = runner.invoke(cli, ["serve", db_path, db_path, "--get", "/"])
-    assert result.exit_code == 1
-    assert "Duplicate database file" in result.output
-    assert "both refer to" in result.output
-
-    # Test with different paths to same file (relative vs absolute)
-    result2 = runner.invoke(
-        cli, ["serve", db_path, str(pathlib.Path(db_path).resolve()), "--get", "/"]
-    )
-    assert result2.exit_code == 1
-    assert "Duplicate database file" in result2.output
-
-    # Test that a file in the config_dir can't also be passed explicitly
-    config_dir = tmpdir / "config"
-    config_dir.mkdir()
-    config_db_path = str(config_dir / "data.db")
-    sqlite3.connect(config_db_path).execute("vacuum")
-
-    result3 = runner.invoke(
-        cli, ["serve", config_db_path, str(config_dir), "--get", "/"]
-    )
-    assert result3.exit_code == 1
-    assert "Duplicate database file" in result3.output
-    assert "both refer to" in result3.output
-
-    # Test that mixing a file NOT in the directory with a directory works fine
-    other_db_path = str(tmpdir / "other.db")
-    sqlite3.connect(other_db_path).execute("vacuum")
-
-    result4 = runner.invoke(
-        cli, ["serve", other_db_path, str(config_dir), "--get", "/-/databases.json"]
-    )
-    assert result4.exit_code == 0
-    databases = json.loads(result4.output)
-    assert {db["name"] for db in databases} == {"other", "data"}
-
-    # Test that multiple directories raise an error
-    config_dir2 = tmpdir / "config2"
-    config_dir2.mkdir()
-
-    result5 = runner.invoke(
-        cli, ["serve", str(config_dir), str(config_dir2), "--get", "/"]
-    )
-    assert result5.exit_code == 1
-    assert "Cannot pass multiple directories" in result5.output
diff --git a/tests/test_cli_serve_get.py b/tests/test_cli_serve_get.py
index 5ad01bfa..513669a1 100644
--- a/tests/test_cli_serve_get.py
+++ b/tests/test_cli_serve_get.py
@@ -52,26 +52,6 @@ def test_serve_with_get(tmp_path_factory):
     pm.unregister(to_unregister)
 
 
-def test_serve_with_get_headers():
-    runner = CliRunner()
-    result = runner.invoke(
-        cli,
-        [
-            "serve",
-            "--memory",
-            "--get",
-            "/_memory/",
-            "--headers",
-        ],
-    )
-    # exit_code is 1 because it wasn't a 200 response
-    assert result.exit_code == 1, result.output
-    lines = result.output.splitlines()
-    assert lines and lines[0] == "HTTP/1.1 302"
-    assert "location: /_memory" in lines
-    assert "content-type: text/html; charset=utf-8" in lines
-
-
 def test_serve_with_get_and_token():
     runner = CliRunner()
     result1 = runner.invoke(
diff --git a/tests/test_config_dir.py b/tests/test_config_dir.py
index 0598a4a6..46a6d341 100644
--- a/tests/test_config_dir.py
+++ b/tests/test_config_dir.py
@@ -88,7 +88,7 @@ def test_invalid_settings(config_dir):
     try:
         with pytest.raises(StartupError) as ex:
             ds = Datasette([], config_dir=config_dir)
-        assert ex.value.args[0] == "Invalid setting 'invalid' in config file"
+        assert ex.value.args[0] == "Invalid setting 'invalid' in datasette.json"
     finally:
         (config_dir / "datasette.json").write_text(previous, "utf-8")
 
diff --git a/tests/test_config_permission_rules.py b/tests/test_config_permission_rules.py
deleted file mode 100644
index 8327ecbf..00000000
--- a/tests/test_config_permission_rules.py
+++ /dev/null
@@ -1,163 +0,0 @@
-import pytest
-
-from datasette.app import Datasette
-from datasette.database import Database
-from datasette.resources import DatabaseResource, TableResource
-
-
-async def setup_datasette(config=None, databases=None):
-    ds = Datasette(memory=True, config=config)
-    for name in databases or []:
-        ds.add_database(Database(ds, memory_name=f"{name}_memory"), name=name)
-    await ds.invoke_startup()
-    await ds.refresh_schemas()
-    return ds
-
-
-@pytest.mark.asyncio
-async def test_root_permissions_allow():
-    config = {"permissions": {"execute-sql": {"id": "alice"}}}
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "alice"},
-    )
-    assert not await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "bob"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_database_permission():
-    config = {
-        "databases": {
-            "content": {
-                "permissions": {
-                    "insert-row": {"id": "alice"},
-                }
-            }
-        }
-    }
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="insert-row",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "alice"},
-    )
-    assert not await ds.allowed(
-        action="insert-row",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "bob"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_table_permission():
-    config = {
-        "databases": {
-            "content": {
-                "tables": {"repos": {"permissions": {"delete-row": {"id": "alice"}}}}
-            }
-        }
-    }
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="delete-row",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "alice"},
-    )
-    assert not await ds.allowed(
-        action="delete-row",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "bob"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_view_table_allow_block():
-    config = {
-        "databases": {"content": {"tables": {"repos": {"allow": {"id": "alice"}}}}}
-    }
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="view-table",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "alice"},
-    )
-    assert not await ds.allowed(
-        action="view-table",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "bob"},
-    )
-    assert await ds.allowed(
-        action="view-table",
-        resource=TableResource(database="content", table="other"),
-        actor={"id": "bob"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_view_table_allow_false_blocks():
-    config = {"databases": {"content": {"tables": {"repos": {"allow": False}}}}}
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert not await ds.allowed(
-        action="view-table",
-        resource=TableResource(database="content", table="repos"),
-        actor={"id": "alice"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_allow_sql_blocks():
-    config = {"allow_sql": {"id": "alice"}}
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "alice"},
-    )
-    assert not await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "bob"},
-    )
-
-    config = {"databases": {"content": {"allow_sql": {"id": "bob"}}}}
-    ds = await setup_datasette(config=config, databases=["content"])
-
-    assert await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "bob"},
-    )
-    assert not await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "alice"},
-    )
-
-    config = {"allow_sql": False}
-    ds = await setup_datasette(config=config, databases=["content"])
-    assert not await ds.allowed(
-        action="execute-sql",
-        resource=DatabaseResource(database="content"),
-        actor={"id": "alice"},
-    )
-
-
-@pytest.mark.asyncio
-async def test_view_instance_allow_block():
-    config = {"allow": {"id": "alice"}}
-    ds = await setup_datasette(config=config)
-
-    assert await ds.allowed(action="view-instance", actor={"id": "alice"})
-    assert not await ds.allowed(action="view-instance", actor={"id": "bob"})
diff --git a/tests/test_crossdb.py b/tests/test_crossdb.py
index 1ec1a05c..bc4eaf22 100644
--- a/tests/test_crossdb.py
+++ b/tests/test_crossdb.py
@@ -2,6 +2,7 @@ from datasette.cli import cli
 from click.testing import CliRunner
 import urllib
 import sqlite3
+from .fixtures import app_client_two_attached_databases_crossdb_enabled
 
 
 def test_crossdb_join(app_client_two_attached_databases_crossdb_enabled):
diff --git a/tests/test_custom_pages.py b/tests/test_custom_pages.py
index 39a4c06b..f2cfe394 100644
--- a/tests/test_custom_pages.py
+++ b/tests/test_custom_pages.py
@@ -97,10 +97,3 @@ def test_custom_route_pattern_404(custom_pages_client):
     assert response.status == 404
     assert "
Error 404
" in response.text
     assert ">Oh no= 5
-                and len(set(next_line)) == 1
-                and next_line[0] in underline_chars
-            ):
-                # Skip if the previous line is empty (blank line before underline)
-                if not current_line:
-                    continue
-
-                # Check if this is an overline+underline style heading
-                # Look at the line before current_line to see if it's also an underline
-                if i > 0:
-                    prev_line = lines[i - 1]
-                    if (
-                        prev_line
-                        and len(prev_line) >= 5
-                        and len(set(prev_line)) == 1
-                        and prev_line[0] in underline_chars
-                        and len(prev_line) == len(next_line)
-                    ):
-                        # This is overline+underline style, skip it
-                        continue
-
-                # This is a heading underline
-                title_length = len(current_line)
-                underline_length = len(next_line)
-
-                if title_length != underline_length:
-                    errors.append(
-                        f"{rst_file.name}:{i+1}: Title length {title_length} != underline length {underline_length}\n"
-                        f"  Title: {current_line!r}\n"
-                        f"  Underline: {next_line!r}"
-                    )
-
-    if errors:
-        raise AssertionError(
-            f"Found {len(errors)} RST heading(s) with mismatched underline length:\n\n"
-            + "\n\n".join(errors)
-        )
+@pytest.mark.parametrize("fn", utils.functions_marked_as_documented)
+def test_functions_marked_with_documented_are_documented(documented_fns, fn):
+    assert fn.__name__ in documented_fns
 
 
 # Tests for testing_plugins.rst documentation
diff --git a/tests/test_docs_plugins.py b/tests/test_docs_plugins.py
index c51858d3..92b4514c 100644
--- a/tests/test_docs_plugins.py
+++ b/tests/test_docs_plugins.py
@@ -2,6 +2,7 @@
 # -- start datasette_with_plugin_fixture --
 from datasette import hookimpl
 from datasette.app import Datasette
+from datasette.plugins import pm
 import pytest
 import pytest_asyncio
 
@@ -17,12 +18,11 @@ async def datasette_with_plugin():
                 (r"^/error$", lambda: 1 / 0),
             ]
 
-    datasette = Datasette()
-    datasette.pm.register(TestPlugin(), name="undo")
+    pm.register(TestPlugin(), name="undo")
     try:
-        yield datasette
+        yield Datasette()
     finally:
-        datasette.pm.unregister(name="undo")
+        pm.unregister(name="undo")
 # -- end datasette_with_plugin_fixture --
 
 
diff --git a/tests/test_html.py b/tests/test_html.py
index 7b667301..6c838549 100644
--- a/tests/test_html.py
+++ b/tests/test_html.py
@@ -1,3 +1,4 @@
+from asgi_csrf import Errors
 from bs4 import BeautifulSoup as Soup
 from datasette.app import Datasette
 from datasette.utils import allowed_pragmas
@@ -142,7 +143,7 @@ async def test_database_page(ds_client):
 
     # And a list of tables
     for fragment in (
-        '
Tables',
+        '
Tables
',
         '
sortable
',
         "
pk, foreign_key_with_label, foreign_key_with_blank_label, ",
     ):
@@ -934,24 +935,16 @@ async def test_edit_sql_link_on_canned_queries(ds_client, path, expected):
         assert "Edit SQL" not in response.text
 
 
-@pytest.mark.parametrize(
-    "has_permission",
-    [
-        pytest.param(
-            True,
-        ),
-        False,
-    ],
-)
-def test_edit_sql_link_not_shown_if_user_lacks_permission(has_permission):
+@pytest.mark.parametrize("permission_allowed", [True, False])
+def test_edit_sql_link_not_shown_if_user_lacks_permission(permission_allowed):
     with make_app_client(
         config={
-            "allow_sql": None if has_permission else {"id": "not-you"},
+            "allow_sql": None if permission_allowed else {"id": "not-you"},
             "databases": {"fixtures": {"queries": {"simple": "select 1 + 1"}}},
         }
     ) as client:
         response = client.get("/fixtures/simple")
-        if has_permission:
+        if permission_allowed:
             assert "Edit SQL" in response.text
         else:
             assert "Edit SQL" not in response.text
@@ -969,9 +962,6 @@ def test_edit_sql_link_not_shown_if_user_lacks_permission(has_permission):
 async def test_navigation_menu_links(
     ds_client, actor_id, should_have_links, should_not_have_links
 ):
-    # Enable root user if testing with root actor
-    if actor_id == "root":
-        ds_client.ds.root_enabled = True
     cookies = {}
     if actor_id:
         cookies = {"ds_actor": ds_client.actor_cookie({"id": actor_id})}
@@ -1159,9 +1149,12 @@ async def test_database_color(ds_client):
         "/fixtures/pragma_cache_size",
     ):
         response = await ds_client.get(path)
-        assert any(
-            fragment in response.text for fragment in expected_fragments
-        ), f"Color fragments not found in {path}. Expected: {expected_fragments}"
+        result = any(fragment in response.text for fragment in expected_fragments)
+        if not result:
+            import pdb
+
+            pdb.set_trace()
+        assert any(fragment in response.text for fragment in expected_fragments)
 
 
 @pytest.mark.asyncio
@@ -1176,73 +1169,3 @@ async def test_custom_csrf_error(ds_client):
     assert response.status_code == 403
     assert response.headers["content-type"] == "text/html; charset=utf-8"
     assert "Error code is FORM_URLENCODED_MISMATCH." in response.text
-
-
-@pytest.mark.asyncio
-async def test_actions_page(ds_client):
-    original_root_enabled = ds_client.ds.root_enabled
-    try:
-        ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions", cookies=cookies)
-        assert response.status_code == 200
-        assert "Registered actions" in response.text
-        assert "
" in response.text
-        assert "view-instance" in response.text
-        assert "view-database" in response.text
-    finally:
-        ds_client.ds.root_enabled = original_root_enabled
-
-
-@pytest.mark.asyncio
-async def test_actions_page_does_not_display_none_string(ds_client):
-    """Ensure the Resource column doesn't display the string 'None' for null values."""
-    # https://github.com/simonw/datasette/issues/2599
-    original_root_enabled = ds_client.ds.root_enabled
-    try:
-        ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-        response = await ds_client.get("/-/actions", cookies=cookies)
-        assert response.status_code == 200
-        assert "None" not in response.text
-    finally:
-        ds_client.ds.root_enabled = original_root_enabled
-
-
-@pytest.mark.asyncio
-async def test_permission_debug_tabs_with_query_string(ds_client):
-    """Test that navigation tabs persist query strings across Check, Allowed, and Rules pages"""
-    original_root_enabled = ds_client.ds.root_enabled
-    try:
-        ds_client.ds.root_enabled = True
-        cookies = {"ds_actor": ds_client.actor_cookie({"id": "root"})}
-
-        # Test /-/allowed with query string
-        response = await ds_client.get(
-            "/-/allowed?action=view-table&page_size=50", cookies=cookies
-        )
-        assert response.status_code == 200
-        # Check that Rules and Check tabs have the query string
-        assert 'href="/-/rules?action=view-table&page_size=50"' in response.text
-        assert 'href="/-/check?action=view-table&page_size=50"' in response.text
-        # Playground and Actions should not have query string
-        assert 'href="/-/permissions"' in response.text
-        assert 'href="/-/actions"' in response.text
-
-        # Test /-/rules with query string
-        response = await ds_client.get(
-            "/-/rules?action=view-database&parent=test", cookies=cookies
-        )
-        assert response.status_code == 200
-        # Check that Allowed and Check tabs have the query string
-        assert 'href="/-/allowed?action=view-database&parent=test"' in response.text
-        assert 'href="/-/check?action=view-database&parent=test"' in response.text
-
-        # Test /-/check with query string
-        response = await ds_client.get("/-/check?action=execute-sql", cookies=cookies)
-        assert response.status_code == 200
-        # Check that Allowed and Rules tabs have the query string
-        assert 'href="/-/allowed?action=execute-sql"' in response.text
-        assert 'href="/-/rules?action=execute-sql"' in response.text
-    finally:
-        ds_client.ds.root_enabled = original_root_enabled
diff --git a/tests/test_internal_db.py b/tests/test_internal_db.py
index 7a0d1630..59516225 100644
--- a/tests/test_internal_db.py
+++ b/tests/test_internal_db.py
@@ -91,51 +91,3 @@ async def test_internal_foreign_key_references(ds_client):
                 )
 
     await internal_db.execute_fn(inner)
-
-
-@pytest.mark.asyncio
-async def test_stale_catalog_entry_database_fix(tmp_path):
-    """
-    Test for https://github.com/simonw/datasette/issues/2605
-
-    When the internal database persists across restarts and has entries in
-    catalog_databases for databases that no longer exist, accessing the
-    index page should not cause a 500 error (KeyError).
-    """
-    from datasette.app import Datasette
-
-    internal_db_path = str(tmp_path / "internal.db")
-    data_db_path = str(tmp_path / "data.db")
-
-    # Create a data database file
-    import sqlite3
-
-    conn = sqlite3.connect(data_db_path)
-    conn.execute("CREATE TABLE test_table (id INTEGER PRIMARY KEY)")
-    conn.close()
-
-    # First Datasette instance: with the data database and persistent internal db
-    ds1 = Datasette(files=[data_db_path], internal=internal_db_path)
-    await ds1.invoke_startup()
-
-    # Access the index page to populate the internal catalog
-    response = await ds1.client.get("/")
-    assert "data" in ds1.databases
-    assert response.status_code == 200
-
-    # Second Datasette instance: reusing internal.db but WITHOUT the data database
-    # This simulates restarting Datasette after removing a database
-    ds2 = Datasette(internal=internal_db_path)
-    await ds2.invoke_startup()
-
-    # The database is not in ds2.databases
-    assert "data" not in ds2.databases
-
-    # Accessing the index page should NOT cause a 500 error
-    # This is the bug: it currently raises KeyError when trying to
-    # access ds.databases["data"] for the stale catalog entry
-    response = await ds2.client.get("/")
-    assert response.status_code == 200, (
-        f"Index page should return 200, not {response.status_code}. "
-        "This fails due to stale catalog entries causing KeyError."
-    )
diff --git a/tests/test_internals_database.py b/tests/test_internals_database.py
index 4a078f75..89a17047 100644
--- a/tests/test_internals_database.py
+++ b/tests/test_internals_database.py
@@ -6,6 +6,7 @@ from datasette.app import Datasette
 from datasette.database import Database, Results, MultipleValues
 from datasette.utils.sqlite import sqlite3, sqlite_version
 from datasette.utils import Column
+from .fixtures import app_client, app_client_two_attached_databases_crossdb_enabled
 import pytest
 import time
 import uuid
diff --git a/tests/test_internals_datasette.py b/tests/test_internals_datasette.py
index c64620a6..fc4e42cb 100644
--- a/tests/test_internals_datasette.py
+++ b/tests/test_internals_datasette.py
@@ -3,9 +3,8 @@ Tests for the datasette.app.Datasette class
 """
 
 import dataclasses
-from datasette import Context
-from datasette.app import Datasette, Database, ResourcesSQL
-from datasette.resources import DatabaseResource
+from datasette import Forbidden, Context
+from datasette.app import Datasette, Database
 from itsdangerous import BadSignature
 import pytest
 
@@ -86,23 +85,21 @@ ALLOW_ROOT = {"allow": {"id": "root"}}
 
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
-    "actor,config,action,resource,should_allow,expected_private",
+    "actor,config,permissions,should_allow,expected_private",
     (
-        (None, ALLOW_ROOT, "view-instance", None, False, False),
-        (ROOT, ALLOW_ROOT, "view-instance", None, True, True),
+        (None, ALLOW_ROOT, ["view-instance"], False, False),
+        (ROOT, ALLOW_ROOT, ["view-instance"], True, True),
         (
             None,
             {"databases": {"_memory": ALLOW_ROOT}},
-            "view-database",
-            DatabaseResource(database="_memory"),
+            [("view-database", "_memory")],
             False,
             False,
         ),
         (
             ROOT,
             {"databases": {"_memory": ALLOW_ROOT}},
-            "view-database",
-            DatabaseResource(database="_memory"),
+            [("view-database", "_memory")],
             True,
             True,
         ),
@@ -110,21 +107,24 @@ ALLOW_ROOT = {"allow": {"id": "root"}}
         (
             ROOT,
             {"allow": True},
-            "view-instance",
-            None,
+            ["view-instance"],
             True,
             False,
         ),
     ),
 )
-async def test_datasette_check_visibility(
-    actor, config, action, resource, should_allow, expected_private
+async def test_datasette_ensure_permissions_check_visibility(
+    actor, config, permissions, should_allow, expected_private
 ):
     ds = Datasette([], memory=True, config=config)
     await ds.invoke_startup()
-    visible, private = await ds.check_visibility(
-        actor, action=action, resource=resource
-    )
+    if not should_allow:
+        with pytest.raises(Forbidden):
+            await ds.ensure_permissions(actor, permissions)
+    else:
+        await ds.ensure_permissions(actor, permissions)
+    # And try check_visibility too:
+    visible, private = await ds.check_visibility(actor, permissions=permissions)
     assert visible == should_allow
     assert private == expected_private
 
@@ -162,16 +162,17 @@ def test_datasette_error_if_string_not_list(tmpdir):
 
 
 @pytest.mark.asyncio
-async def test_get_action(ds_client):
+async def test_get_permission(ds_client):
     ds = ds_client.ds
     for name_or_abbr in ("vi", "view-instance", "vt", "view-table"):
-        action = ds.get_action(name_or_abbr)
+        permission = ds.get_permission(name_or_abbr)
         if "-" in name_or_abbr:
-            assert action.name == name_or_abbr
+            assert permission.name == name_or_abbr
         else:
-            assert action.abbr == name_or_abbr
-    # And test None return for missing action
-    assert ds.get_action("missing-permission") is None
+            assert permission.abbr == name_or_abbr
+    # And test KeyError
+    with pytest.raises(KeyError):
+        ds.get_permission("missing-permission")
 
 
 @pytest.mark.asyncio
@@ -195,14 +196,3 @@ async def test_apply_metadata_json():
     assert (await ds.client.get("/")).status_code == 200
     value = (await ds.get_instance_metadata()).get("weird_instance_value")
     assert value == '{"nested": [1, 2, 3]}'
-
-
-@pytest.mark.asyncio
-async def test_allowed_resources_sql(datasette):
-    result = await datasette.allowed_resources_sql(
-        action="view-table",
-        actor=None,
-    )
-    assert isinstance(result, ResourcesSQL)
-    assert "all_rules AS" in result.sql
-    assert result.params["action"] == "view-table"
diff --git a/tests/test_internals_datasette_client.py b/tests/test_internals_datasette_client.py
index 326fcdc0..afc9b335 100644
--- a/tests/test_internals_datasette_client.py
+++ b/tests/test_internals_datasette_client.py
@@ -1,7 +1,6 @@
 import httpx
 import pytest
 import pytest_asyncio
-from datasette.app import Datasette
 
 
 @pytest_asyncio.fixture
@@ -10,23 +9,6 @@ async def datasette(ds_client):
     return ds_client.ds
 
 
-@pytest_asyncio.fixture
-async def datasette_with_permissions():
-    """A datasette instance with permission restrictions for testing"""
-    ds = Datasette(config={"databases": {"test_db": {"allow": {"id": "admin"}}}})
-    await ds.invoke_startup()
-    db = ds.add_memory_database("test_datasette_with_permissions", name="test_db")
-    await db.execute_write(
-        "create table if not exists test_table (id integer primary key, name text)"
-    )
-    await db.execute_write(
-        "insert or ignore into test_table (id, name) values (1, 'Alice')"
-    )
-    # Trigger catalog refresh
-    await ds.client.get("/")
-    return ds
-
-
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "method,path,expected_status",
@@ -83,231 +65,3 @@ async def test_client_path(datasette, prefix, expected_path):
         assert path == expected_path
     finally:
         datasette._settings["base_url"] = original_base_url
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_allows_forbidden_access(
-    datasette_with_permissions,
-):
-    """Test that skip_permission_checks=True bypasses permission checks"""
-    ds = datasette_with_permissions
-
-    # Without skip_permission_checks, anonymous user should get 403 for protected database
-    response = await ds.client.get("/test_db.json")
-    assert response.status_code == 403
-
-    # With skip_permission_checks=True, should get 200
-    response = await ds.client.get("/test_db.json", skip_permission_checks=True)
-    assert response.status_code == 200
-    data = response.json()
-    assert data["database"] == "test_db"
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_on_table(datasette_with_permissions):
-    """Test skip_permission_checks works for table access"""
-    ds = datasette_with_permissions
-
-    # Without skip_permission_checks, should get 403
-    response = await ds.client.get("/test_db/test_table.json")
-    assert response.status_code == 403
-
-    # With skip_permission_checks=True, should get table data
-    response = await ds.client.get(
-        "/test_db/test_table.json", skip_permission_checks=True
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["rows"] == [{"id": 1, "name": "Alice"}]
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize(
-    "method", ["get", "post", "put", "patch", "delete", "options", "head"]
-)
-async def test_skip_permission_checks_all_methods(datasette_with_permissions, method):
-    """Test that skip_permission_checks works with all HTTP methods"""
-    ds = datasette_with_permissions
-
-    # All methods should work with skip_permission_checks=True
-    client_method = getattr(ds.client, method)
-    response = await client_method("/test_db.json", skip_permission_checks=True)
-    # We don't check status code since some methods might not be allowed,
-    # but we verify the request doesn't fail due to permissions
-    assert isinstance(response, httpx.Response)
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_request_method(datasette_with_permissions):
-    """Test that skip_permission_checks works with client.request()"""
-    ds = datasette_with_permissions
-
-    # Without skip_permission_checks
-    response = await ds.client.request("GET", "/test_db.json")
-    assert response.status_code == 403
-
-    # With skip_permission_checks=True
-    response = await ds.client.request(
-        "GET", "/test_db.json", skip_permission_checks=True
-    )
-    assert response.status_code == 200
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_isolated_to_request(datasette_with_permissions):
-    """Test that skip_permission_checks doesn't affect other concurrent requests"""
-    ds = datasette_with_permissions
-
-    # First request with skip_permission_checks=True should succeed
-    response1 = await ds.client.get("/test_db.json", skip_permission_checks=True)
-    assert response1.status_code == 200
-
-    # Subsequent request without it should still get 403
-    response2 = await ds.client.get("/test_db.json")
-    assert response2.status_code == 403
-
-    # And another with skip should succeed again
-    response3 = await ds.client.get("/test_db.json", skip_permission_checks=True)
-    assert response3.status_code == 200
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_with_admin_actor(datasette_with_permissions):
-    """Test that skip_permission_checks works even when actor is provided"""
-    ds = datasette_with_permissions
-
-    # Admin actor should normally have access
-    admin_cookies = {"ds_actor": ds.client.actor_cookie({"id": "admin"})}
-    response = await ds.client.get("/test_db.json", cookies=admin_cookies)
-    assert response.status_code == 200
-
-    # Non-admin actor should get 403
-    user_cookies = {"ds_actor": ds.client.actor_cookie({"id": "user"})}
-    response = await ds.client.get("/test_db.json", cookies=user_cookies)
-    assert response.status_code == 403
-
-    # Non-admin actor with skip_permission_checks=True should get 200
-    response = await ds.client.get(
-        "/test_db.json", cookies=user_cookies, skip_permission_checks=True
-    )
-    assert response.status_code == 200
-
-
-@pytest.mark.asyncio
-async def test_skip_permission_checks_shows_denied_tables():
-    """Test that skip_permission_checks=True shows tables from denied databases in /-/tables.json"""
-    ds = Datasette(
-        config={
-            "databases": {
-                "fixtures": {"allow": False}  # Deny all access to this database
-            }
-        }
-    )
-    await ds.invoke_startup()
-    db = ds.add_memory_database("fixtures")
-    await db.execute_write(
-        "CREATE TABLE test_table (id INTEGER PRIMARY KEY, name TEXT)"
-    )
-    await db.execute_write("INSERT INTO test_table (id, name) VALUES (1, 'Alice')")
-    await ds._refresh_schemas()
-
-    # Without skip_permission_checks, tables from denied database should not appear in /-/tables.json
-    response = await ds.client.get("/-/tables.json")
-    assert response.status_code == 200
-    data = response.json()
-    table_names = [match["name"] for match in data["matches"]]
-    # Should not see any fixtures tables since access is denied
-    fixtures_tables = [name for name in table_names if name.startswith("fixtures:")]
-    assert len(fixtures_tables) == 0
-
-    # With skip_permission_checks=True, tables from denied database SHOULD appear
-    response = await ds.client.get("/-/tables.json", skip_permission_checks=True)
-    assert response.status_code == 200
-    data = response.json()
-    table_names = [match["name"] for match in data["matches"]]
-    # Should see fixtures tables when permission checks are skipped
-    assert "fixtures: test_table" in table_names
-
-
-@pytest.mark.asyncio
-async def test_in_client_returns_false_outside_request(datasette):
-    """Test that datasette.in_client() returns False outside of a client request"""
-    assert datasette.in_client() is False
-
-
-@pytest.mark.asyncio
-async def test_in_client_returns_true_inside_request():
-    """Test that datasette.in_client() returns True inside a client request"""
-    from datasette import hookimpl, Response
-
-    class TestPlugin:
-        __name__ = "test_in_client_plugin"
-
-        @hookimpl
-        def register_routes(self):
-            async def test_view(datasette):
-                # Assert in_client() returns True within the view
-                assert datasette.in_client() is True
-                return Response.json({"in_client": datasette.in_client()})
-
-            return [
-                (r"^/-/test-in-client$", test_view),
-            ]
-
-    ds = Datasette()
-    await ds.invoke_startup()
-    ds.pm.register(TestPlugin(), name="test_in_client_plugin")
-    try:
-
-        # Outside of a client request, should be False
-        assert ds.in_client() is False
-
-        # Make a request via datasette.client
-        response = await ds.client.get("/-/test-in-client")
-        assert response.status_code == 200
-        assert response.json()["in_client"] is True
-
-        # After the request, should be False again
-        assert ds.in_client() is False
-    finally:
-        ds.pm.unregister(name="test_in_client_plugin")
-
-
-@pytest.mark.asyncio
-async def test_in_client_with_skip_permission_checks():
-    """Test that in_client() works regardless of skip_permission_checks value"""
-    from datasette import hookimpl
-    from datasette.utils.asgi import Response
-
-    in_client_values = []
-
-    class TestPlugin:
-        __name__ = "test_in_client_skip_plugin"
-
-        @hookimpl
-        def register_routes(self):
-            async def test_view(datasette):
-                in_client_values.append(datasette.in_client())
-                return Response.json({"in_client": datasette.in_client()})
-
-            return [
-                (r"^/-/test-in-client$", test_view),
-            ]
-
-    ds = Datasette(config={"databases": {"test_db": {"allow": {"id": "admin"}}}})
-    await ds.invoke_startup()
-    ds.pm.register(TestPlugin(), name="test_in_client_skip_plugin")
-    try:
-
-        # Request without skip_permission_checks
-        await ds.client.get("/-/test-in-client")
-        # Request with skip_permission_checks=True
-        await ds.client.get("/-/test-in-client", skip_permission_checks=True)
-
-        # Both should have detected in_client as True
-        assert (
-            len(in_client_values) == 2
-        ), f"Expected 2 values, got {len(in_client_values)}"
-        assert all(in_client_values), f"Expected all True, got {in_client_values}"
-    finally:
-        ds.pm.unregister(name="test_in_client_skip_plugin")
diff --git a/tests/test_permission_endpoints.py b/tests/test_permission_endpoints.py
deleted file mode 100644
index 84f3370f..00000000
--- a/tests/test_permission_endpoints.py
+++ /dev/null
@@ -1,501 +0,0 @@
-"""
-Tests for permission endpoints:
-- /-/allowed.json
-- /-/rules.json
-"""
-
-import pytest
-import pytest_asyncio
-from datasette.app import Datasette
-
-
-@pytest_asyncio.fixture
-async def ds_with_permissions():
-    """Create a Datasette instance with test data and permissions."""
-    ds = Datasette()
-    ds.root_enabled = True
-    await ds.invoke_startup()
-
-    # Add some test databases and tables
-    db = ds.add_memory_database("analytics")
-    await db.execute_write(
-        "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, name TEXT, email TEXT)"
-    )
-    await db.execute_write(
-        "CREATE TABLE IF NOT EXISTS events (id INTEGER PRIMARY KEY, event_type TEXT, user_id INTEGER)"
-    )
-
-    db2 = ds.add_memory_database("production")
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS orders (id INTEGER PRIMARY KEY, total REAL)"
-    )
-    await db2.execute_write(
-        "CREATE TABLE IF NOT EXISTS customers (id INTEGER PRIMARY KEY, name TEXT)"
-    )
-
-    await ds.refresh_schemas()
-
-    return ds
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize(
-    "path,expected_status,expected_keys",
-    [
-        # Instance level permission
-        (
-            "/-/allowed.json?action=view-instance",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Database level permission
-        (
-            "/-/allowed.json?action=view-database",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Table level permission
-        (
-            "/-/allowed.json?action=view-table",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        (
-            "/-/allowed.json?action=execute-sql",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Missing action parameter
-        ("/-/allowed.json", 400, {"error"}),
-        # Invalid action
-        ("/-/allowed.json?action=nonexistent", 404, {"error"}),
-        # Any valid action works, even if no permission rules exist for it
-        (
-            "/-/allowed.json?action=insert-row",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-    ],
-)
-async def test_allowed_json_basic(
-    ds_with_permissions, path, expected_status, expected_keys
-):
-    response = await ds_with_permissions.client.get(path)
-    assert response.status_code == expected_status
-    data = response.json()
-    assert expected_keys.issubset(data.keys())
-
-
-@pytest.mark.asyncio
-async def test_allowed_json_response_structure(ds_with_permissions):
-    """Test that /-/allowed.json returns the expected structure."""
-    response = await ds_with_permissions.client.get(
-        "/-/allowed.json?action=view-instance"
-    )
-    assert response.status_code == 200
-    data = response.json()
-
-    # Check required fields
-    assert "action" in data
-    assert "actor_id" in data
-    assert "page" in data
-    assert "page_size" in data
-    assert "total" in data
-    assert "items" in data
-
-    # Check items structure
-    assert isinstance(data["items"], list)
-    if data["items"]:
-        item = data["items"][0]
-        assert "parent" in item
-        assert "child" in item
-        assert "resource" in item
-
-
-@pytest.mark.asyncio
-async def test_allowed_json_with_actor(ds_with_permissions):
-    """Test /-/allowed.json includes actor information."""
-    response = await ds_with_permissions.client.get(
-        "/-/allowed.json?action=view-table",
-        cookies={
-            "ds_actor": ds_with_permissions.client.actor_cookie({"id": "test_user"})
-        },
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["actor_id"] == "test_user"
-
-
-@pytest.mark.asyncio
-async def test_allowed_json_pagination():
-    """Test that /-/allowed.json pagination works."""
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Create many tables to test pagination
-    db = ds.add_memory_database("test")
-    for i in range(30):
-        await db.execute_write(f"CREATE TABLE table{i:02d} (id INTEGER PRIMARY KEY)")
-    await ds.refresh_schemas()
-
-    # Test page 1
-    response = await ds.client.get(
-        "/-/allowed.json?action=view-table&page_size=10&page=1"
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["page"] == 1
-    assert data["page_size"] == 10
-    assert len(data["items"]) == 10
-
-    # Test page 2
-    response = await ds.client.get(
-        "/-/allowed.json?action=view-table&page_size=10&page=2"
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["page"] == 2
-    assert len(data["items"]) == 10
-
-    # Verify items are different between pages
-    response1 = await ds.client.get(
-        "/-/allowed.json?action=view-table&page_size=10&page=1"
-    )
-    response2 = await ds.client.get(
-        "/-/allowed.json?action=view-table&page_size=10&page=2"
-    )
-    items1 = {(item["parent"], item["child"]) for item in response1.json()["items"]}
-    items2 = {(item["parent"], item["child"]) for item in response2.json()["items"]}
-    assert items1 != items2
-
-
-@pytest.mark.asyncio
-async def test_allowed_json_total_count(tmp_path_factory):
-    """Test that /-/allowed.json returns correct total count."""
-    from datasette.database import Database
-
-    # Use temporary file databases to avoid leakage from other tests
-    tmp_dir = tmp_path_factory.mktemp("test_allowed_json_total_count")
-
-    ds = Datasette()
-    await ds.invoke_startup()
-
-    # Create test databases with tables
-    analytics_db = ds.add_database(
-        Database(ds, path=str(tmp_dir / "analytics.db")), name="analytics"
-    )
-    await analytics_db.execute_write(
-        "CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, name TEXT, email TEXT)"
-    )
-    await analytics_db.execute_write(
-        "CREATE TABLE IF NOT EXISTS events (id INTEGER PRIMARY KEY, event_type TEXT, user_id INTEGER)"
-    )
-
-    production_db = ds.add_database(
-        Database(ds, path=str(tmp_dir / "production.db")), name="production"
-    )
-    await production_db.execute_write(
-        "CREATE TABLE IF NOT EXISTS orders (id INTEGER PRIMARY KEY, total REAL)"
-    )
-    await production_db.execute_write(
-        "CREATE TABLE IF NOT EXISTS customers (id INTEGER PRIMARY KEY, name TEXT)"
-    )
-
-    await ds.refresh_schemas()
-
-    response = await ds.client.get("/-/allowed.json?action=view-table")
-    assert response.status_code == 200
-    data = response.json()
-
-    # We created 4 tables total (2 in analytics, 2 in production)
-    import json
-
-    assert (
-        data["total"] == 4
-    ), f"Expected total=4, got: {json.dumps(data, separators=(',', ':'))}"
-
-
-# /-/rules.json tests
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize(
-    "path,expected_status,expected_keys",
-    [
-        # Instance level rules
-        (
-            "/-/rules.json?action=view-instance",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Database level rules
-        (
-            "/-/rules.json?action=view-database",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Table level rules
-        (
-            "/-/rules.json?action=view-table",
-            200,
-            {"action", "items", "total", "page"},
-        ),
-        # Missing action parameter
-        ("/-/rules.json", 400, {"error"}),
-        # Invalid action
-        ("/-/rules.json?action=nonexistent", 404, {"error"}),
-    ],
-)
-async def test_rules_json_basic(
-    ds_with_permissions, path, expected_status, expected_keys
-):
-    # Use root actor for rules endpoint (requires permissions-debug)
-    response = await ds_with_permissions.client.get(
-        path,
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == expected_status
-    data = response.json()
-    assert expected_keys.issubset(data.keys())
-
-
-@pytest.mark.asyncio
-async def test_rules_json_response_structure(ds_with_permissions):
-    """Test that /-/rules.json returns the expected structure."""
-    response = await ds_with_permissions.client.get(
-        "/-/rules.json?action=view-instance",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-
-    # Check required fields
-    assert "action" in data
-    assert "actor_id" in data
-    assert "page" in data
-    assert "page_size" in data
-    assert "total" in data
-    assert "items" in data
-
-    # Check items structure
-    assert isinstance(data["items"], list)
-    if data["items"]:
-        item = data["items"][0]
-        assert "parent" in item
-        assert "child" in item
-        assert "resource" in item
-        assert "allow" in item
-        assert "reason" in item
-
-
-@pytest.mark.asyncio
-async def test_rules_json_includes_all_rules(ds_with_permissions):
-    """Test that /-/rules.json includes both allowed and denied resources."""
-    # Root user should see rules for everything
-    response = await ds_with_permissions.client.get(
-        "/-/rules.json?action=view-table",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-
-    # Should have items (root has global allow)
-    assert len(data["items"]) > 0
-
-    # Each item should have allow field (0 or 1)
-    for item in data["items"]:
-        assert "allow" in item
-        assert item["allow"] in [0, 1]
-
-
-@pytest.mark.asyncio
-async def test_rules_json_pagination():
-    """Test that /-/rules.json pagination works."""
-    ds = Datasette()
-    ds.root_enabled = True
-    await ds.invoke_startup()
-
-    # Create some tables
-    db = ds.add_memory_database("test")
-    for i in range(5):
-        await db.execute_write(
-            f"CREATE TABLE IF NOT EXISTS table{i:02d} (id INTEGER PRIMARY KEY)"
-        )
-    await ds.refresh_schemas()
-
-    # Test basic pagination structure - just verify it returns paginated results
-    response = await ds.client.get(
-        "/-/rules.json?action=view-table&page_size=2&page=1",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["page"] == 1
-    assert data["page_size"] == 2
-    # Verify items is a list (may have fewer items than page_size if there aren't many rules)
-    assert isinstance(data["items"], list)
-    assert "total" in data
-
-
-@pytest.mark.asyncio
-async def test_rules_json_with_actor(ds_with_permissions):
-    """Test /-/rules.json includes actor information."""
-    # Use root actor (rules endpoint requires permissions-debug)
-    response = await ds_with_permissions.client.get(
-        "/-/rules.json?action=view-table",
-        cookies={"ds_actor": ds_with_permissions.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-    assert data["actor_id"] == "root"
-
-
-@pytest.mark.asyncio
-async def test_root_user_respects_settings_deny():
-    """
-    Test for issue #2509: Settings-based deny rules should override root user privileges.
-
-    When a database has `allow: false` in settings, the root user should NOT see
-    that database in /-/allowed.json?action=view-database.
-    """
-    ds = Datasette(
-        config={
-            "databases": {
-                "content": {
-                    "allow": False,  # Deny everyone, including root
-                }
-            }
-        }
-    )
-    ds.root_enabled = True
-    await ds.invoke_startup()
-    ds.add_memory_database("content")
-
-    # Root user should NOT see the denied database
-    response = await ds.client.get(
-        "/-/allowed.json?action=view-database",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-
-    # Check that content database is NOT in the allowed list
-    allowed_databases = [item["parent"] for item in data["items"]]
-    assert "content" not in allowed_databases, (
-        f"Root user should not see 'content' database when settings deny it, "
-        f"but found it in: {allowed_databases}"
-    )
-
-
-@pytest.mark.asyncio
-async def test_root_user_respects_settings_deny_tables():
-    """
-    Test for issue #2509: Settings-based deny rules should override root for tables too.
-
-    When a database has `allow: false` in settings, the root user should NOT see
-    tables from that database in /-/allowed.json?action=view-table.
-    """
-    ds = Datasette(
-        config={
-            "databases": {
-                "content": {
-                    "allow": False,  # Deny everyone, including root
-                }
-            }
-        }
-    )
-    ds.root_enabled = True
-    await ds.invoke_startup()
-
-    # Add a database with a table
-    db = ds.add_memory_database("content")
-    await db.execute_write("CREATE TABLE repos (id INTEGER PRIMARY KEY, name TEXT)")
-    await ds.refresh_schemas()
-
-    # Root user should NOT see tables from the content database
-    response = await ds.client.get(
-        "/-/allowed.json?action=view-table",
-        cookies={"ds_actor": ds.client.actor_cookie({"id": "root"})},
-    )
-    assert response.status_code == 200
-    data = response.json()
-
-    # Check that content.repos table is NOT in the allowed list
-    content_tables = [
-        item["child"] for item in data["items"] if item["parent"] == "content"
-    ]
-    assert "repos" not in content_tables, (
-        f"Root user should not see tables from 'content' database when settings deny it, "
-        f"but found: {content_tables}"
-    )
-
-
-@pytest.mark.asyncio
-async def test_execute_sql_requires_view_database():
-    """
-    Test for issue #2527: execute-sql permission should require view-database permission.
-
-    A user who has execute-sql permission but not view-database permission should not
-    be able to execute SQL on that database.
-    """
-    from datasette.permissions import PermissionSQL
-    from datasette import hookimpl
-
-    class TestPermissionPlugin:
-        __name__ = "TestPermissionPlugin"
-
-        @hookimpl
-        def permission_resources_sql(self, datasette, actor, action):
-            if actor is None or actor.get("id") != "test_user":
-                return []
-
-            if action == "execute-sql":
-                # Grant execute-sql on the "secret" database
-                return PermissionSQL(
-                    sql="SELECT 'secret' AS parent, NULL AS child, 1 AS allow, 'can execute sql' AS reason",
-                )
-            elif action == "view-database":
-                # Deny view-database on the "secret" database
-                return PermissionSQL(
-                    sql="SELECT 'secret' AS parent, NULL AS child, 0 AS allow, 'cannot view db' AS reason",
-                )
-
-            return []
-
-    plugin = TestPermissionPlugin()
-
-    ds = Datasette()
-    await ds.invoke_startup()
-    ds.pm.register(plugin, name="test_plugin")
-
-    try:
-        ds.add_memory_database("secret")
-        await ds.refresh_schemas()
-
-        # User should NOT have execute-sql permission because view-database is denied
-        response = await ds.client.get(
-            "/-/allowed.json?action=execute-sql",
-            cookies={"ds_actor": ds.client.actor_cookie({"id": "test_user"})},
-        )
-        assert response.status_code == 200
-        data = response.json()
-
-        # The "secret" database should NOT be in the allowed list for execute-sql
-        allowed_databases = [item["parent"] for item in data["items"]]
-        assert "secret" not in allowed_databases, (
-            f"User should not have execute-sql permission without view-database, "
-            f"but found 'secret' in: {allowed_databases}"
-        )
-
-        # Also verify that attempting to execute SQL on the database is denied
-        # (may be 403 or 302 redirect to login/error page depending on middleware)
-        response = await ds.client.get(
-            "/secret?sql=SELECT+1",
-            cookies={"ds_actor": ds.client.actor_cookie({"id": "test_user"})},
-        )
-        assert response.status_code in (302, 403), (
-            f"Expected 302 or 403 when trying to execute SQL without view-database permission, "
-            f"but got {response.status_code}"
-        )
-    finally:
-        ds.pm.unregister(plugin)
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index e2dd92b8..c5139d20 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -40,8 +40,6 @@ async def perms_ds():
     await one.execute_write("create view if not exists v1 as select * from t1")
     await one.execute_write("create table if not exists t2 (id integer primary key)")
     await two.execute_write("create table if not exists t1 (id integer primary key)")
-    # Trigger catalog refresh so allowed_resources() can be called
-    await ds.client.get("/")
     return ds
 
 
@@ -61,12 +59,7 @@ async def perms_ds():
         "/-/api",
         "/fixtures/compound_three_primary_keys",
         "/fixtures/compound_three_primary_keys/a,a,a",
-        pytest.param(
-            "/fixtures/two",
-            marks=pytest.mark.xfail(
-                reason="view-query not yet migrated to new permission system"
-            ),
-        ),  # Query
+        "/fixtures/two",  # Query
     ),
 )
 def test_view_padlock(allow, expected_anon, expected_auth, path, padlock_client):
@@ -359,7 +352,7 @@ def test_query_list_respects_view_query():
                 ("view-database-download", "fixtures"),
             ],
         ),
-        pytest.param(
+        (
             "/fixtures/neighborhood_search",
             [
                 "view-instance",
@@ -382,8 +375,7 @@ def test_permissions_checked(app_client, path, permissions):
 async def test_permissions_debug(ds_client, filter_):
     ds_client.ds._permission_checks.clear()
     assert (await ds_client.get("/-/permissions")).status_code == 403
-    # With the cookie it should work (need to set root_enabled for root user)
-    ds_client.ds.root_enabled = True
+    # With the cookie it should work
     cookie = ds_client.actor_cookie({"id": "root"})
     response = await ds_client.get(
         f"/-/permissions?filter={filter_}", cookies={"ds_actor": cookie}
@@ -392,58 +384,61 @@ async def test_permissions_debug(ds_client, filter_):
     # Should have a select box listing permissions
     for fragment in (
         '
Name