do an indirection through a group at the behest of alex marandon

9 files changed, 50 insertions, 23 deletions

diff --git a/docs/tutorials/bfgwiki/authorization.rst b/docs/tutorials/bfgwiki/authorization.rst
index 8c2ab1df9..8ae3c079d 100644
--- a/docs/tutorials/bfgwiki/authorization.rst
+++ b/docs/tutorials/bfgwiki/authorization.rst
@@ -4,15 +4,15 @@ Adding Authorization
 
 Our application currently allows anyone with access to the server to
 view, edit, and add pages to our wiki.  For purposes of demonstration
-we'll change our application to allow people whom possess a specific
-username (`editor`) to add and edit wiki pages but we'll continue
-allowing anyone with access to the server to view pages.
+we'll change our application to allow people whom are members of a
+*group* named ``group:editors`` to add and edit wiki pages but we'll
+continue allowing anyone with access to the server to view pages.
 :mod:`repoze.bfg` provides facilities for *authorization* and
 *authentication*.  We'll make use of both features to provide security
 to our application.
 
 The source code for this tutorial stage can be browsed at
-`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.2/authorization>`_.
+`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.3/authorization>`_.
 
 Configuring a ``repoze.bfg`` Authentication Policy
 --------------------------------------------------
@@ -37,6 +37,13 @@ invocation can not be authorized.  When you're done, your
    :linenos:
    :language: xml
 
+Note that the ``authtktauthenticationpolicy`` tag has two attributes:
+``secret`` and ``callback``.  ``secret`` is a string representing an
+encryption key used by the "authentication ticket" machinery
+represented by this policy: it is required.  The ``callback`` is a
+string, representing a :term:`Python dotted name`, which points at the
+``groupfinder`` function in the current directory's ``security.py``
+file.  We haven't added that module yet, but we're about to.
 
 Adding ``security.py``
 ~~~~~~~~~~~~~~~~~~~~~~
@@ -54,8 +61,12 @@ The ``groupfinder`` function defined here is an authorization policy
 the userid exists in the set of users known by the system, the
 callback will return a sequence of group identifiers (or an empty
 sequence if the user isn't a member of any groups).  If the userid
-*does not* exist in the system, the callback will return ``None``.
-We'll use "dummy" data to represent user and groups sources.
+*does not* exist in the system, the callback will return ``None``.  In
+a production system this data will most often come from a database,
+but here we use "dummy" data to represent user and groups
+sources. Note that the ``editor`` user is a member of the
+``group:editors`` group in our dummy group data (the ``GROUPS`` data
+structure).
 
 Adding Login and Logout Views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -153,7 +164,8 @@ class scope to our ``Wiki`` class:
 .. code-block:: python
    :linenos:
 
-   __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'editor', 'edit') ]
+   __acl__ = [ (Allow, Everyone, 'view'), 
+               (Allow, 'group:editors', 'edit') ]
 
 It's only happenstance that we're assigning this ACL at class scope.
 An ACL can be attached to an object *instance* too; this is how "row
@@ -195,16 +207,30 @@ pass a ``permission`` argument to each of our
 - We add ``permission='edit'`` to the decorator attached to the
   ``add_page`` view function.  This makes the assertion that only
   users who possess the effective ``view`` permission at the time of
-  the request may invoke this view.  We've granted the``editor``
-  principal the view permission at the root model via its ACL, so only
-  the user named ``editor`` will able to invoke the ``add_page`` view.
+  the request may invoke this view.  We've granted the
+  ``group:editors`` principal the view permission at the root model
+  via its ACL, so only the a user whom is a member of the group named
+  ``group:editors`` will able to invoke the ``add_page`` view.  We've
+  likewise given the ``editor`` user membership to this group via thes
+  ``security.py`` file by mapping him to the ``group:editors`` group
+  in the ``GROUPS`` data structure (``GROUPS =
+  {'editor':['group:editors']}``); the ``groupfinder`` function
+  consults the ``GROUPS`` data structure.  This means that the
+  ``editor`` user can add pages.
 
 - We add ``permission='edit'`` to the ``bfg_view`` decorator attached
   to the ``edit_page`` view function.  This makes the assertion that
   only users who possess the effective ``view`` permission at the time
-  of the request may invoke this view.  We've granted ``editor`` the
-  view permission at the root model via its ACL, so only the user
-  named ``editor`` will able to invoke the ``edit_page`` view.
+  of the request may invoke this view.  We've granted the
+  ``group:editors`` principal the view permission at the root model
+  via its ACL, so only the a user whom is a member of the group named
+  ``group:editors`` will able to invoke the ``edit_page`` view.  We've
+  likewise given the ``editor`` user membership to this group via thes
+  ``security.py`` file by mapping him to the ``group:editors`` group
+  in the ``GROUPS`` data structure (``GROUPS =
+  {'editor':['group:editors']}``); the ``groupfinder`` function
+  consults the ``GROUPS`` data structure.  This means that the
+  ``editor`` user can edit pages.
 
 Viewing the Application in a Browser
 ------------------------------------
diff --git a/docs/tutorials/bfgwiki/basiclayout.rst b/docs/tutorials/bfgwiki/basiclayout.rst
index 27e59880a..bbfab7247 100644
--- a/docs/tutorials/bfgwiki/basiclayout.rst
+++ b/docs/tutorials/bfgwiki/basiclayout.rst
@@ -8,7 +8,7 @@ to most :term:`traversal` -based :mod:`repoze.bfg` (and :term:`ZODB`
 based) projects.
 
 The source code for this tutorial stage can be browsed at
-`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.2/basiclayout>`_.
+`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.3/basiclayout>`_.
 
 ``__init__.py``
 ---------------
diff --git a/docs/tutorials/bfgwiki/definingmodels.rst b/docs/tutorials/bfgwiki/definingmodels.rst
index 475e35442..1edb9c2c2 100644
--- a/docs/tutorials/bfgwiki/definingmodels.rst
+++ b/docs/tutorials/bfgwiki/definingmodels.rst
@@ -12,7 +12,7 @@ container for "Page" objects, which will be instances of the "Page"
 class.
 
 The source code for this tutorial stage can be browsed at
-`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.2/models>`_.
+`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.3/models>`_.
 
 Deleting the Database
 ---------------------
diff --git a/docs/tutorials/bfgwiki/definingviews.rst b/docs/tutorials/bfgwiki/definingviews.rst
index 72101d258..ecd0bc8fc 100644
--- a/docs/tutorials/bfgwiki/definingviews.rst
+++ b/docs/tutorials/bfgwiki/definingviews.rst
@@ -26,7 +26,7 @@ wire them into :mod:`repoze.bfg` using some :term:`view
 configuration` via :term:`ZCML`.
 
 The source code for this tutorial stage can be browsed at
-`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.2/views>`_.
+`docs.repoze.org <http://docs.repoze.org/bfgwiki-1.3/views>`_.
 
 Adding View Functions
 =====================
diff --git a/docs/tutorials/bfgwiki/index.rst b/docs/tutorials/bfgwiki/index.rst
index 3ba79b714..2e5318e74 100644
--- a/docs/tutorials/bfgwiki/index.rst
+++ b/docs/tutorials/bfgwiki/index.rst
@@ -10,7 +10,7 @@ with authentication.
 
 For cut and paste purposes, the source code for all stages of this
 tutorial can be browsed at `docs.repoze.org
-<http://docs.repoze.org/bfgwiki-1.2>`_.
+<http://docs.repoze.org/bfgwiki-1.3>`_.
 
 .. toctree::
    :maxdepth: 2
diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml b/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml
index 5297b9ee3..50b68ef35 100644
--- a/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml
+++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml
@@ -12,6 +12,7 @@
 
   <authtktauthenticationpolicy
     secret="sosecret"
+    callback=".security.groupfinder"
     />
 
   <aclauthorizationpolicy/>
diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py
index 08b3db359..8620dc705 100644
--- a/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py
+++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py
@@ -10,8 +10,8 @@ from tutorial.models import Wiki
 from tutorial.security import USERS
 
 @bfg_view(context=Wiki, name='login', renderer='templates/login.pt')
-def login(context, request):
-    login_url = model_url(context, request, 'login')
+def login(request):
+    login_url = model_url(request.context, request, 'login')
     referrer = request.url
     if referrer == login_url:
         referrer = '/' # never use the login form itself as came_from
@@ -37,8 +37,8 @@ def login(context, request):
         )
     
 @bfg_view(context=Wiki, name='logout')
-def logout(context, request):
+def logout(request):
     headers = forget(request)
-    return HTTPFound(location = model_url(context, request),
+    return HTTPFound(location = model_url(request.context, request),
                      headers = headers)
     
diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py
index 976f5e3e9..08e1da7e4 100644
--- a/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py
+++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py
@@ -7,7 +7,7 @@ from repoze.bfg.security import Everyone
 class Wiki(PersistentMapping):
     __name__ = None
     __parent__ = None
-    __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'editor', 'edit') ]
+    __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'group:editors', 'edit') ]
 
 class Page(Persistent):
     def __init__(self, data):
diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py
index 791367183..cfd13071e 100644
--- a/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py
+++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py
@@ -1,6 +1,6 @@
 USERS = {'editor':'editor',
           'viewer':'viewer'}
-GROUPS = {'editor':['group.editors']}
+GROUPS = {'editor':['group:editors']}
 
 def groupfinder(userid, request):
     if userid in USERS: