- Fix bug where default deny in authorization check would throw a

    TypeError (use ``ACLDenied`` instead of ``Denied``).

3 files changed, 29 insertions, 15 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 1a3d396d8..db47747a4 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -8,6 +8,12 @@ Next Release
     the Settings objects defaults for ``debug_authorization`` and
     ``debug_notfound``.
 
+  - Return an instance of ``Allowed`` (rather than ``True``) from
+    ``has_permission`` when no security policy is in use.
+
+  - Fix bug where default deny in authorization check would throw a
+    TypeError (use ``ACLDenied`` instead of ``Denied``).
+
 0.4.2 (11/2/2008)
 
   Features
diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py
index 21b7f98d3..860f4a0fd 100644
--- a/repoze/bfg/security.py
+++ b/repoze/bfg/security.py
@@ -24,7 +24,7 @@ def has_permission(permission, context, request):
     application."""
     policy = queryUtility(ISecurityPolicy)
     if policy is None:
-        return True
+        return Allowed('No security policy in use.')
     return policy.permits(context, request, permission)
 
 def authenticated_userid(request):
@@ -85,7 +85,8 @@ class ACLAuthorizer(object):
                         else:
                             return ACLDenied(ace, acl, permission, principals,
                                              self.context)
-        # default deny
+
+        # default deny if no ACE matches in the ACL found
         result = ACLDenied(None, acl, permission, principals, self.context)
         return result
 
@@ -104,11 +105,11 @@ class ACLSecurityPolicy(object):
             authorizer = self.authorizer_factory(location)
             try:
                 return authorizer.permits(permission, *principals)
-
             except NoAuthorizationInformation:
                 continue
 
-        return Denied(None, None, permission, principals, self.context)
+        # default deny if no ACL in lineage at all
+        return ACLDenied(None, None, permission, principals, context)
 
     def authenticated_userid(self, request):
         principals = self.get_principals(request)
diff --git a/repoze/bfg/tests/test_security.py b/repoze/bfg/tests/test_security.py
index 43dc38890..5fa554629 100644
--- a/repoze/bfg/tests/test_security.py
+++ b/repoze/bfg/tests/test_security.py
@@ -234,6 +234,21 @@ class TestACLSecurityPolicy(unittest.TestCase, PlacelessSetup):
         self.assertEqual(authorizer_factory.permission, 'view')
         self.assertEqual(authorizer_factory.context, context)
 
+    def test_permits_default_deny(self):
+        context = DummyContext()
+        context.__acl__ = []
+        request = DummyRequest({})
+        policy = self._makeOne(lambda *arg: None)
+        authorizer_factory = make_authorizer_factory(None,
+                                                     intermediates_raise=True)
+        policy.authorizer_factory = authorizer_factory
+        result = policy.permits(context, request, 'view')
+        self.assertEqual(result, False)
+        from repoze.bfg.security import Everyone
+        self.assertEqual(authorizer_factory.principals, (Everyone,))
+        self.assertEqual(authorizer_factory.permission, 'view')
+        self.assertEqual(authorizer_factory.context, context)
+
     def test_permits_no_principals_withparents_root_has_acl_info(self):
         context = DummyContext()
         context.__name__ = None
@@ -398,7 +413,9 @@ class TestAPIFunctions(unittest.TestCase, PlacelessSetup):
         
     def test_has_permission_not_registered(self):
         from repoze.bfg.security import has_permission
-        self.assertEqual(has_permission('view', None, None), True)
+        result = has_permission('view', None, None)
+        self.assertEqual(result, True)
+        self.assertEqual(result.msg, 'No security policy in use.')
 
     def test_authenticated_userid_registered(self):
         secpol = DummySecurityPolicy(False)
@@ -591,13 +608,3 @@ class make_authorizer_factory:
                     raise NoAuthorizationInformation()
                 return result
         return Authorizer()
-
-    
-
-
-            
-                
-    
-        
-
-