diff options
| author | Chris McDonough <chrism@agendaless.com> | 2009-11-19 15:05:32 +0000 |
|---|---|---|
| committer | Chris McDonough <chrism@agendaless.com> | 2009-11-19 15:05:32 +0000 |
| commit | e0162efd4bc5320591854c137d1403083e4a8618 (patch) | |
| tree | 032c438350c45dfdc2c2c06f0cc972d51ed6990d | |
| parent | 39f21489978ff982832ae76cc205f64e29dd483e (diff) | |
| download | pyramid-e0162efd4bc5320591854c137d1403083e4a8618.tar.gz pyramid-e0162efd4bc5320591854c137d1403083e4a8618.tar.bz2 pyramid-e0162efd4bc5320591854c137d1403083e4a8618.zip | |
- The ACL authorization policy debugging output when
``debug_authorization`` consule debugging output was turned on
wasn't as clear as it could have been when a view execution was
denied due to an authorization failure resulting from the set of
principals passed never having matched any ACE in any ACL in the
lineage. Now in this case, we report ``<default deny>`` as the ACE
value and either the root ACL or ``<No ACL found on any object in
model lineage>`` if no ACL was found.
| -rw-r--r-- | CHANGES.txt | 12 | ||||
| -rw-r--r-- | repoze/bfg/authorization.py | 12 | ||||
| -rw-r--r-- | repoze/bfg/tests/test_authorization.py | 12 |
3 files changed, 33 insertions, 3 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 2de872afe..496a95ee8 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,18 @@ Next release ============ +Bug Fixes +---------- + +- The ACL authorization policy debugging output when + ``debug_authorization`` consule debugging output was turned on + wasn't as clear as it could have been when a view execution was + denied due to an authorization failure resulting from the set of + principals passed never having matched any ACE in any ACL in the + lineage. Now in this case, we report ``<default deny>`` as the ACE + value and either the root ACL or ``<No ACL found on any object in + model lineage>`` if no ACL was found. + Internals --------- diff --git a/repoze/bfg/authorization.py b/repoze/bfg/authorization.py index 743e9cb64..c7e8b1c96 100644 --- a/repoze/bfg/authorization.py +++ b/repoze/bfg/authorization.py @@ -57,6 +57,8 @@ class ACLAuthorizationPolicy(object): def permits(self, context, principals, permission): """ Return ``ACLAllowed`` if the policy permits access, ``ACLDenied`` if not. """ + + acl = '<No ACL found on any object in model lineage>' for location in lineage(context): try: @@ -77,8 +79,14 @@ class ACLAuthorizationPolicy(object): return ACLDenied(ace, acl, permission, principals, location) - # default deny if no ACL in lineage at all - return ACLDenied(None, None, permission, principals, context) + # default deny (if no ACL in lineage at all, or if none of the + # principals were mentioned in any ACE we found) + return ACLDenied( + '<default deny>', + acl, + permission, + principals, + context) def principals_allowed_by_permission(self, context, permission): """ Return the set of principals explicitly granted the diff --git a/repoze/bfg/tests/test_authorization.py b/repoze/bfg/tests/test_authorization.py index 8aa9b9abf..6b8c8293a 100644 --- a/repoze/bfg/tests/test_authorization.py +++ b/repoze/bfg/tests/test_authorization.py @@ -61,12 +61,14 @@ class TestACLAuthorizationPolicy(unittest.TestCase): self.assertEqual(result, True) self.assertEqual(result.context, blog) self.assertEqual(result.ace, (Allow, 'wilma', VIEW)) + self.assertEqual(result.acl, blog.__acl__) result = policy.permits(blog, [Everyone, Authenticated, 'wilma'], 'delete') self.assertEqual(result, False) self.assertEqual(result.context, community) self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) + self.assertEqual(result.acl, community.__acl__) result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view') self.assertEqual(result, True) @@ -77,6 +79,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase): self.assertEqual(result, True) self.assertEqual(result.context, community) self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) + self.assertEqual(result.acl, community.__acl__) result = policy.permits(blog, [Everyone, Authenticated, 'barney'], 'view') @@ -88,6 +91,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase): self.assertEqual(result, False) self.assertEqual(result.context, community) self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) + self.assertEqual(result.acl, community.__acl__) result = policy.permits(root, [Everyone, Authenticated, 'someguy'], 'view') @@ -99,15 +103,21 @@ class TestACLAuthorizationPolicy(unittest.TestCase): self.assertEqual(result, False) self.assertEqual(result.context, community) self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) + self.assertEqual(result.acl, community.__acl__) result = policy.permits(root, [Everyone], 'view') self.assertEqual(result, False) self.assertEqual(result.context, root) - self.assertEqual(result.ace, None) + self.assertEqual(result.ace, '<default deny>') + self.assertEqual(result.acl, root.__acl__) context = DummyContext() result = policy.permits(context, [Everyone], 'view') self.assertEqual(result, False) + self.assertEqual(result.ace, '<default deny>') + self.assertEqual( + result.acl, + '<No ACL found on any object in model lineage>') def test_principals_allowed_by_permission_direct(self): from repoze.bfg.security import Allow |