Split default_permissions.py into a package

datasette/default_permissions/__init__.py

@@ -0,0 +1,51 @@
+"""
+Default permission implementations for Datasette.
+
+This module provides the built-in permission checking logic through implementations
+of the permission_resources_sql hook. The hooks are organized by their purpose:
+
+1. Actor Restrictions - Enforces _r allowlists embedded in actor tokens
+2. Root User - Grants full access when --root flag is used
+3. Config Rules - Applies permissions from datasette.yaml
+4. Default Settings - Enforces default_allow_sql and default view permissions
+
+IMPORTANT: These hooks return PermissionSQL objects that are combined using SQL
+UNION/INTERSECT operations. The order of evaluation is:
+  - restriction_sql fields are INTERSECTed (all must match)
+  - Regular sql fields are UNIONed and evaluated with cascading priority
+"""
+
+# Re-export all hooks and public utilities
+from .restrictions import (
+    actor_restrictions_sql,
+    restrictions_allow_action,
+    ActorRestrictions,
+)
+from .root import root_user_permissions_sql
+from .config import config_permissions_sql
+from .defaults import (
+    default_allow_sql_check,
+    default_action_permissions_sql,
+    DEFAULT_ALLOW_ACTIONS,
+)
+from .tokens import (
+    actor_from_request,
+    skip_csrf,
+    canned_queries,
+)
+
+__all__ = [
+    # Hooks
+    "actor_restrictions_sql",
+    "root_user_permissions_sql",
+    "config_permissions_sql",
+    "default_allow_sql_check",
+    "default_action_permissions_sql",
+    "actor_from_request",
+    "skip_csrf",
+    "canned_queries",
+    # Utility functions and classes
+    "restrictions_allow_action",
+    "ActorRestrictions",
+    "DEFAULT_ALLOW_ACTIONS",
+]