issues: 1571711808

This data as json

id	node_id	number	title	user	state	locked	assignee	milestone	comments	created_at	updated_at	closed_at	author_association	pull_request	body	repo	type	active_lock_reason	performed_via_github_app	reactions	draft	state_reason
1571711808	I_kwDOBm6k_c5drmtA	2018	`check_visibility` gives confusing (wrong?) results if permission is `None`	193185	open	0			0	2023-02-06T01:03:08Z	2023-02-06T01:03:46Z		CONTRIBUTOR		I'm trying to gate access to an edit UI on the user having `update-row` on the underlying view or table. I expected datasette.check_visibility to be a good way to do this: ```python visible, private = await datasette.check_visibility( request.actor, permissions=[ ("update-row", (database, table)), ], ) `if not visible: return None` ``` But `visible` is returning true, even when there is no explicit `update-row` permission. (In this case, `request.actor` is `None`.) Based on the update-row permissions docs, I expected this to be default deny, and so no explicit permission would result in false. I think the root cause is that `check_visibility` calls `ensure_permissions` and expects it to throw if the permission is not available. But `ensure_permissions` does not throw when `permission_allowed` returns None: https://github.com/simonw/datasette/blob/1.0a2/datasette/app.py#L825-L829	107914493	issue			{ "url": "https://api.github.com/repos/simonw/datasette/issues/2018/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 }

Links from other tables