- Add authenticated_userid and effective_principals API to security

    policy.

3 files changed, 43 insertions, 8 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 18f2b7f35..261cadd64 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,8 @@
+0.2.2
+
+  - Add authenticated_userid and effective_principals API to security
+    policy.
+
 0.2.1
 
   - Add find_interface API.
diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py
index eb260fea8..7e0ba6ffe 100644
--- a/repoze/bfg/security.py
+++ b/repoze/bfg/security.py
@@ -89,22 +89,34 @@ class RemoteUserACLSecurityPolicy(object):
     def permits(self, context, request, permission):
         """ Return ``Allowed`` if the policy permits access,
         ``Denied`` if not."""
-        userid = request.environ.get('REMOTE_USER', None)
-        effective_principals = [Everyone]
-
-        if userid is not None:
-            effective_principals.append(Authenticated)
-            effective_principals.append(userid)
-
+        principals = self.effective_principals(request)
         for location in LocationIterator(context):
             authorizer = self.authorizer_factory(location, self.logger)
             try:
-                return authorizer.permits(permission, *effective_principals)
+                return authorizer.permits(permission, *principals)
             except NoAuthorizationInformation:
                 continue
 
         return False
 
+    def authenticated_userid(self, request):
+        """ Return the id of the currently authenticated user or
+        None if the user is not authenticated """
+        return request.environ.get('REMOTE_USER', None)
+
+    def effective_principals(self, request):
+        """ Return the list of 'effective' principals for the request.
+        This will include the userid of the currently authenticated
+        user if a user is currently authenticated. """
+        userid = self.authenticated_userid(request)
+        effective_principals = [Everyone]
+
+        if userid is not None:
+            effective_principals.append(Authenticated)
+            effective_principals.append(userid)
+        return effective_principals
+
+
 class PermitsResult:
     def __init__(self, ace, acl, permission, principals, context):
         self.acl = acl
diff --git a/repoze/bfg/tests/test_security.py b/repoze/bfg/tests/test_security.py
index 745b42f04..d0bb5dcaa 100644
--- a/repoze/bfg/tests/test_security.py
+++ b/repoze/bfg/tests/test_security.py
@@ -225,6 +225,24 @@ class RemoteUserACLSecurityPolicy(unittest.TestCase, PlacelessSetup):
     def tearDown(self):
         PlacelessSetup.tearDown(self)
 
+    def test_authenticated_userid(self):
+        context = DummyContext()
+        request = DummyRequest({'REMOTE_USER':'fred'})
+        logger = DummyLogger()
+        policy = self._makeOne(logger)
+        result = policy.authenticated_userid(request)
+        self.assertEqual(result, 'fred')
+
+    def test_effective_principals(self):
+        context = DummyContext()
+        request = DummyRequest({'REMOTE_USER':'fred'})
+        logger = DummyLogger()
+        policy = self._makeOne(logger)
+        result = policy.effective_principals(request)
+        from repoze.bfg.security import Everyone
+        from repoze.bfg.security import Authenticated
+        self.assertEqual(result, [Everyone, Authenticated, 'fred'])
+
     def test_permits_no_remote_user_no_acl_info_on_context(self):
         context = DummyContext()
         request = DummyRequest({})