Bring back identity into permits.

author: Theron Luhn <theron@luhn.com> 2019-12-14 20:17:36 -0800
committer: Theron Luhn <theron@luhn.com> 2019-12-14 20:17:36 -0800
commit: 2e06fa414412688dc3b7e0b422b0fc0b96ec882f (patch)
tree: 8acfecec6dd36eb8ed0763a93a7674ebc7fc140a
parent: cd0b92d10bfbb38068c216ce44dde9732fa127a8 (diff)
download: pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.tar.gz
pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.tar.bz2
pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.zip
10 files changed, 29 insertions, 23 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index b01bec903..07b7fe825 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -80,9 +80,8 @@ A simple security policy might look like the following:
             """ Return a string ID for the user. """
             return self.identify(request).id
 
-        def permits(self, request, context, permission):
+        def permits(self, request, context, identity, permission):
             """ Allow access to everything if signed in. """
-            identity = self.identify(request)
             if identity is not None:
                 return Allowed('User is signed in.')
             else:
@@ -148,9 +147,8 @@ For example, our above security policy can leverage these helpers like so:
         def authenticated_userid(self, request):
             return self.identify(request).id
 
-        def permits(self, request, context, permission):
+        def permits(self, request, context, identity, permission):
             """ Allow access to everything if signed in. """
-            identity = self.identify(request)
             if identity is not None:
                 return Allowed('User is signed in.')
             else:
@@ -238,9 +236,7 @@ might look like so:
     from pyramid.security import Allowed, Denied
 
     class SecurityPolicy:
-        def permits(self, request, context, permission):
-            identity = self.identify(request)
-
+        def permits(self, request, context, identity, permission):
             if identity is None:
                 return Denied('User is not signed in.')
             if identity.role == 'admin':
@@ -330,7 +326,7 @@ object.  An implementation might look like this:
     from pyramid.authorization import ACLHelper
 
     class SecurityPolicy:
-        def permits(self, request, context, permission):
+        def permits(self, request, context, identity, permission):
             principals = [Everyone]
             if identity is not None:
                 principals.append(Authenticated)
diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py
index 891b851ee..d20401028 100644
--- a/src/pyramid/interfaces.py
+++ b/src/pyramid/interfaces.py
@@ -494,7 +494,7 @@ class ISecurityPolicy(Interface):
         verified user, or ``None`` if unauthenticated.
         """
 
-    def permits(request, context, permission):
+    def permits(request, context, identity, permission):
         """ Return an instance of :class:`pyramid.security.Allowed` if a user
         of the given identity is allowed the ``permission`` in the current
         ``context``, else return an instance of
diff --git a/src/pyramid/security.py b/src/pyramid/security.py
index e3a978c52..d6af69e51 100644
--- a/src/pyramid/security.py
+++ b/src/pyramid/security.py
@@ -351,7 +351,9 @@ class SecurityAPIMixin:
         policy = _get_security_policy(self)
         if policy is None:
             return Allowed('No security policy in use.')
-        return policy.permits(self, context, permission)
+        return policy.permits(
+            self, context, self.authenticated_identity, permission
+        )
 
 
 class AuthenticationAPIMixin(object):
@@ -447,7 +449,7 @@ class LegacySecurityPolicy:
         authn = self._get_authn_policy(request)
         return authn.forget(request)
 
-    def permits(self, request, context, permission):
+    def permits(self, request, context, identity, permission):
         authn = self._get_authn_policy(request)
         authz = self._get_authz_policy(request)
         principals = authn.effective_principals(request)
diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py
index a92bb5d03..f550156dd 100644
--- a/src/pyramid/testing.py
+++ b/src/pyramid/testing.py
@@ -64,7 +64,7 @@ class DummySecurityPolicy(object):
     def authenticated_userid(self, request):
         return self.userid
 
-    def permits(self, request, context, permission):
+    def permits(self, request, context, identity, permission):
         return self.permissive
 
     def remember(self, request, userid, **kw):
diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py
index 7c28cbf85..35f9a08d2 100644
--- a/src/pyramid/viewderivers.py
+++ b/src/pyramid/viewderivers.py
@@ -316,7 +316,8 @@ def _secured_view(view, info):
     if policy and (permission is not None):
 
         def permitted(context, request):
-            return policy.permits(request, context, permission)
+            identity = policy.identify(request)
+            return policy.permits(request, context, identity, permission)
 
         def secured_view(context, request):
             result = permitted(context, request)
@@ -362,8 +363,10 @@ def _authdebug_view(view, info):
                 elif permission is None:
                     msg = 'Allowed (no permission registered)'
                 else:
-                    result = policy.permits(request, context, permission)
-                    msg = str(result)
+                    identity = policy.identify(request)
+                    msg = str(
+                        policy.permits(request, context, identity, permission)
+                    )
             else:
                 msg = 'Allowed (no security policy in use)'
 
diff --git a/tests/pkgs/securityapp/__init__.py b/tests/pkgs/securityapp/__init__.py
index 6c9025e7d..caf65ad4c 100644
--- a/tests/pkgs/securityapp/__init__.py
+++ b/tests/pkgs/securityapp/__init__.py
@@ -4,12 +4,12 @@ from pyramid.security import Allowed, Denied
 
 class SecurityPolicy:
     def identify(self, request):
-        raise NotImplementedError()  # pragma: no cover
+        return self.authenticated_userid(request)
 
     def authenticated_userid(self, request):
         return request.environ.get('REMOTE_USER')
 
-    def permits(self, request, context, permission):
+    def permits(self, request, context, identity, permission):
         userid = self.authenticated_userid(request)
         if userid and permission == 'foo':
             return Allowed('')
diff --git a/tests/test_config/test_views.py b/tests/test_config/test_views.py
index a474d3754..a1e975756 100644
--- a/tests/test_config/test_views.py
+++ b/tests/test_config/test_views.py
@@ -2045,9 +2045,10 @@ class TestViewsConfigurationMixin(unittest.TestCase):
                 outerself.assertEqual(r, request)
                 return 123
 
-            def permits(self, r, context, permission):
+            def permits(self, r, context, identity, permission):
                 outerself.assertEqual(r, request)
                 outerself.assertEqual(context, None)
+                outerself.assertEqual(identity, 123)
                 outerself.assertEqual(permission, 'view')
                 return True
 
@@ -2069,9 +2070,10 @@ class TestViewsConfigurationMixin(unittest.TestCase):
                 outerself.assertEqual(r, request)
                 return 123
 
-            def permits(self, r, context, permission):
+            def permits(self, r, context, identity, permission):
                 outerself.assertEqual(r, request)
                 outerself.assertEqual(context, None)
+                outerself.assertEqual(identity, 123)
                 outerself.assertEqual(permission, 'view')
                 return True
 
diff --git a/tests/test_security.py b/tests/test_security.py
index 1c969e305..3896e008d 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -480,7 +480,10 @@ class TestLegacySecurityPolicy(unittest.TestCase):
         _registerAuthenticationPolicy(request.registry, ['p1', 'p2'])
         _registerAuthorizationPolicy(request.registry, True)
 
-        self.assertTrue(policy.permits(request, request.context, 'permission'))
+        self.assertIs(
+            policy.permits(request, request.context, 'userid', 'permission'),
+            True,
+        )
 
 
 _TEST_HEADER = 'X-Pyramid-Test'
@@ -501,7 +504,7 @@ class DummySecurityPolicy:
     def authenticated_userid(self, request):
         return self.result
 
-    def permits(self, request, context, permission):
+    def permits(self, request, context, identity, permission):
         return self.result
 
     def remember(self, request, userid, **kw):
diff --git a/tests/test_testing.py b/tests/test_testing.py
index 6eb474f65..a329b0a04 100644
--- a/tests/test_testing.py
+++ b/tests/test_testing.py
@@ -33,7 +33,7 @@ class TestDummySecurityPolicy(unittest.TestCase):
 
     def test_permits(self):
         policy = self._makeOne()
-        self.assertTrue(policy.permits(None, None, None))
+        self.assertEqual(policy.permits(None, None, None, None), True)
 
     def test_forget(self):
         policy = self._makeOne()
diff --git a/tests/test_viewderivers.py b/tests/test_viewderivers.py
index f1aa00e5b..48a564c7b 100644
--- a/tests/test_viewderivers.py
+++ b/tests/test_viewderivers.py
@@ -2089,7 +2089,7 @@ class DummySecurityPolicy:
     def authenticated_userid(self, request):
         return 123
 
-    def permits(self, request, context, permission):
+    def permits(self, request, context, identity, permission):
         return self.permitted
author	Theron Luhn <theron@luhn.com>	2019-12-14 20:17:36 -0800
committer	Theron Luhn <theron@luhn.com>	2019-12-14 20:17:36 -0800
commit	2e06fa414412688dc3b7e0b422b0fc0b96ec882f (patch)
tree	8acfecec6dd36eb8ed0763a93a7674ebc7fc140a
parent	cd0b92d10bfbb38068c216ce44dde9732fa127a8 (diff)
download	pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.tar.gz pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.tar.bz2 pyramid-2e06fa414412688dc3b7e0b422b0fc0b96ec882f.zip