Add regression test for --default-deny index 500 (#2644)

datasette --default-deny --root with no config file previously 500'd on
the instance and database index pages: rendering them computes is_private
(include_is_private=True), which references the anon_rules CTE, but that
CTE was only defined when anonymous permission rules existed.

This was fixed by the empty-anon_rules fallback added in 4b5fac9c; this
commit adds a regression test that fails without that fallback (SQLite
"no such table: anon_rules" -> 500).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/test_default_deny.py

@@ -127,3 +127,23 @@ async def test_default_deny_basic_permissions():
 
     # Authenticated user without explicit permission should also be denied
     assert await ds.allowed(action="view-instance", actor={"id": "user"}) is False
+
+
+@pytest.mark.asyncio
+async def test_default_deny_root_no_config_index_does_not_500():
+    # https://github.com/simonw/datasette/issues/2644
+    # --default-deny --root with no config file must not 500 on the index
+    # pages. Rendering those pages computes is_private (include_is_private),
+    # which references the anon_rules CTE - that CTE must still be defined
+    # even when there are no anonymous permission rules at all.
+    ds = Datasette(default_deny=True)
+    ds.root_enabled = True
+    await ds.invoke_startup()
+    db = ds.add_memory_database("test_db_2644")
+    await db.execute_write("create table test_table (id integer primary key)")
+    await ds._refresh_schemas()
+
+    cookie = ds.sign({"a": {"id": "root"}}, "actor")
+    for path in ("/", "/test_db_2644", "/test_db_2644/test_table"):
+        response = await ds.client.get(path, cookies={"ds_actor": cookie})
+        assert response.status_code == 200, f"{path} returned {response.status_code}"