Make cascading permission checks available to plugins

[simonw]

The BaseView class has a method for cascading permission checks, but it's not easily accessible to plugins.

datasette/datasette/views/base.py

Lines 75 to 99 in 5eb8e9b

	async def check_permissions(self, request, permissions):
	"permissions is a list of (action, resource) tuples or 'action' strings"
	for permission in permissions:
	if isinstance(permission, str):
	action = permission
	resource = None
	elif isinstance(permission, (tuple, list)) and len(permission) == 2:
	action, resource = permission
	else:
	assert (
	False
	), "permission should be string or tuple of two items: {}".format(
	repr(permission)
	)
	ok = await self.ds.permission_allowed(
	request.actor,
	action,
	resource=resource,
	default=None,
	)
	if ok is not None:
	if ok:
	return
	else:
	raise Forbidden(action)

This leaves plugins like datasette-graphql having to implement their own versions of this logic, which is bad: simonw/datasette-graphql#65

First check view-database - if that says False then disallow access, if it says True then allow access. If it says None check view-instance.

This should become a supported API that plugins are encouraged to use.

[simonw]

This is implemented now:

• https://docs.datasette.io/en/stable/internals.html#await-ensure-permissions-actor-permissions