diff options
| author | Chris McDonough <chrism@agendaless.com> | 2010-01-16 07:36:12 +0000 |
|---|---|---|
| committer | Chris McDonough <chrism@agendaless.com> | 2010-01-16 07:36:12 +0000 |
| commit | 590fe7c48d15f6280955e9784a9f42c2e28bca69 (patch) | |
| tree | 65667668a46ba05d1902c7a8e18676f9399816ed /docs/narr/security.rst | |
| parent | c2441d669f52e79960ff63af134924da69b9afc1 (diff) | |
| download | pyramid-590fe7c48d15f6280955e9784a9f42c2e28bca69.tar.gz pyramid-590fe7c48d15f6280955e9784a9f42c2e28bca69.tar.bz2 pyramid-590fe7c48d15f6280955e9784a9f42c2e28bca69.zip | |
Massive overhaul to deal with the reality that we don't map URLs directly to code.
Diffstat (limited to 'docs/narr/security.rst')
| -rw-r--r-- | docs/narr/security.rst | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index cb10ff0b5..ad91e9e29 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -11,23 +11,32 @@ Here's how it works at a high level: - A :term:`request` is generated when a user visits our application. -- Based on the request, a :term:`context` is located. Exactly how a - context is located depends whether you are using :term:`traversal` - or :term:`URL dispatch`, but in either case, one is found. See - :ref:`url_mapping_chapter` for more information. +- Based on the request, a :term:`context` is located through + :term:`context finding`. A context is located differently depending + on whether the application uses :term:`traversal` or :term:`URL + dispatch`, but a context is ultimately found in either case. See + :ref:`urlmapping_chapter` for more information about context + finding. -- A :term:`view callable` is located using the the context as well as - other attributes of the request. +- A :term:`view callable` is located by :term:`view lookup` using the + the context as well as other attributes of the request. + +- If an :term:`authentication policy` is in effect, it is passed the + request; it returns some number of :term:`principal` identifiers. - If an :term:`authorization policy` is in effect and the :term:`view configuration` associated with the view callable that was found has a :term:`permission` associated with it, the authorization policy is - passed the context: it will either allow or deny access. + passed the :term:`context`, some number of :term:`principal` + identifiers returned by the authentication policy, and the + :term:`permission` associated with the view; it will allow or deny + access. -- If access is allowed, the view callable is invoked. +- If the authorization policy allows access, the view callable is + invoked. -- If access is denied, view callable is not invoked; instead the - :term:`forbidden view` is invoked. +- If the authorization policy denies access, the view callable is not + invoked; instead the :term:`forbidden view` is invoked. Authorization is enabled by modifying your application to include a :term:`authentication policy` and :term:`authorization policy`. |