forward-port security fix from 1.3 branch

3 files changed, 11 insertions, 2 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index c3e679b8a..ac22aa36d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,14 @@
 Next release
 ============
 
+Bug Fixes
+---------
+
+- When no authentication policy was configured, a call to
+  ``pyramid.security.effective_principals`` would unconditionally return the
+  empty list.  This was incorrect, it should have unconditionally returned
+  ``[Everyone]``, and now does.
+
 Features
 --------
 
diff --git a/pyramid/security.py b/pyramid/security.py
index f29edd678..4b929241e 100644
--- a/pyramid/security.py
+++ b/pyramid/security.py
@@ -100,7 +100,7 @@ def effective_principals(request):
 
     policy = reg.queryUtility(IAuthenticationPolicy)
     if policy is None:
-        return []
+        return [Everyone]
     return policy.effective_principals(request)
 
 def principals_allowed_by_permission(context, permission):
diff --git a/pyramid/tests/test_security.py b/pyramid/tests/test_security.py
index 86149d554..ba9538b01 100644
--- a/pyramid/tests/test_security.py
+++ b/pyramid/tests/test_security.py
@@ -266,9 +266,10 @@ class TestEffectivePrincipals(unittest.TestCase):
         return effective_principals(request)
 
     def test_no_authentication_policy(self):
+        from pyramid.security import Everyone
         request = _makeRequest()
         result = self._callFUT(request)
-        self.assertEqual(result, [])
+        self.assertEqual(result, [Everyone])
 
     def test_with_authentication_policy(self):
         request = _makeRequest()