Merge pull request #3563 from mmerickel/move-acl-security-to-authorization

Move acl security to authorization

21 files changed, 185 insertions, 86 deletions

diff --git a/docs/api/authorization.rst b/docs/api/authorization.rst
index c6b3d090e..be040f055 100644
--- a/docs/api/authorization.rst
+++ b/docs/api/authorization.rst
@@ -10,3 +10,69 @@
 
   .. autoclass:: ACLAuthorizationPolicy
 
+Constants
+---------
+
+.. attribute:: Everyone
+
+    The special principal id named ``Everyone``.  This principal id is
+    granted to all requests.  Its actual value is the string
+    ``'system.Everyone'``.
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
+
+.. attribute:: Authenticated
+
+    The special principal id named ``Authenticated``.  This principal id
+    is granted to all requests which contain any other non-Everyone
+    principal id (according to the :term:`authentication policy`).
+    Its actual value is the string ``'system.Authenticated'``.
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
+
+.. attribute:: ALL_PERMISSIONS
+
+    An object that can be used as the ``permission`` member of an ACE
+    which matches all permissions unconditionally.  For example, an
+    ACE that uses ``ALL_PERMISSIONS`` might be composed like so:
+    ``('Deny', 'system.Everyone', ALL_PERMISSIONS)``.
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
+
+.. attribute:: DENY_ALL
+
+    A convenience shorthand ACE that defines ``('Deny',
+    'system.Everyone', ALL_PERMISSIONS)``.  This is often used as the
+    last ACE in an ACL in systems that use an "inheriting" security
+    policy, representing the concept "don't inherit any other ACEs".
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
+
+Return Values
+-------------
+
+.. autoclass:: ACLDenied
+   :members: msg
+
+   .. automethod:: __new__
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
+
+.. autoclass:: ACLAllowed
+   :members: msg
+
+   .. automethod:: __new__
+
+    .. versionadded:: 2.0
+
+        Moved from ``pyramid.security`` into ``pyramid.authorization``.
diff --git a/docs/api/request.rst b/docs/api/request.rst
index 59d85ac2a..ed7f91e91 100644
--- a/docs/api/request.rst
+++ b/docs/api/request.rst
@@ -202,7 +202,7 @@
       currently authenticated, but this depends on the
       :term:`authentication policy` in effect.  If no :term:`authentication
       policy` is in effect, this will return a sequence containing only the
-      :attr:`pyramid.security.Everyone` principal.
+      :attr:`pyramid.authorization.Everyone` principal.
 
    .. method:: invoke_subrequest(request, use_tweens=False)
 
diff --git a/docs/api/security.rst b/docs/api/security.rst
index edb66472e..7bfdbd0ad 100644
--- a/docs/api/security.rst
+++ b/docs/api/security.rst
@@ -10,7 +10,7 @@ Authentication API Functions
 
 .. autofunction:: forget
 
-.. autofunction:: remember(request, userid, **kwargs)
+.. autofunction:: remember
 
 Authorization API Functions
 ---------------------------
@@ -22,18 +22,34 @@ Authorization API Functions
 Constants
 ---------
 
+.. attribute:: NO_PERMISSION_REQUIRED
+
+	A special permission which indicates that the view should always
+	be executable by entirely anonymous users, regardless of the
+	default permission, bypassing any :term:`authorization policy`
+	that may be in effect.  Its actual value is the string
+	``'__no_permission_required__'``.
+
 .. attribute:: Everyone
 
-    The special principal id named 'Everyone'.  This principal id is
+    The special principal id named ``Everyone``.  This principal id is
     granted to all requests.  Its actual value is the string
-    'system.Everyone'.
+    ``'system.Everyone'``.
+
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.Everyone`.
 
 .. attribute:: Authenticated
 
-    The special principal id named 'Authenticated'.  This principal id
+    The special principal id named ``Authenticated``.  This principal id
     is granted to all requests which contain any other non-Everyone
     principal id (according to the :term:`authentication policy`).
-    Its actual value is the string 'system.Authenticated'.
+    Its actual value is the string ``'system.Authenticated'``.
+
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.Authenticated`.
 
 .. attribute:: ALL_PERMISSIONS
 
@@ -42,6 +58,10 @@ Constants
     ACE that uses ``ALL_PERMISSIONS`` might be composed like so:
     ``('Deny', 'system.Everyone', ALL_PERMISSIONS)``.
 
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.ALL_PERMISSIONS`.
+
 .. attribute:: DENY_ALL
 
     A convenience shorthand ACE that defines ``('Deny',
@@ -49,13 +69,9 @@ Constants
     last ACE in an ACL in systems that use an "inheriting" security
     policy, representing the concept "don't inherit any other ACEs".
 
-.. attribute:: NO_PERMISSION_REQUIRED
+    .. deprecated:: 2.0
 
-	A special permission which indicates that the view should always
-	be executable by entirely anonymous users, regardless of the
-	default permission, bypassing any :term:`authorization policy`
-	that may be in effect.  Its actual value is the string
-	'__no_permission_required__'.
+        Moved to :data:`pyramid.authorization.DENY_ALL`.
 
 Return Values
 -------------
@@ -64,13 +80,21 @@ Return Values
 
     The ACE "action" (the first element in an ACE e.g. ``(Allow, Everyone,
     'read')`` that means allow access.  A sequence of ACEs makes up an
-    ACL.  It is a string, and its actual value is "Allow".
+    ACL.  It is a string, and its actual value is ``'Allow'``.
+
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.Allow`.
 
 .. attribute:: Deny
 
     The ACE "action" (the first element in an ACE e.g. ``(Deny,
     'george', 'read')`` that means deny access.  A sequence of ACEs
-    makes up an ACL.  It is a string, and its actual value is "Deny".
+    makes up an ACL.  It is a string, and its actual value is ``'Deny'``.
+
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.Deny`.
 
 .. autoclass:: Denied
    :members: msg
@@ -85,10 +109,17 @@ Return Values
 .. autoclass:: ACLDenied
    :members: msg
 
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.ACLDenied`.
+
    .. automethod:: __new__
 
 .. autoclass:: ACLAllowed
    :members: msg
 
-   .. automethod:: __new__
+    .. deprecated:: 2.0
+
+        Moved to :data:`pyramid.authorization.ACLAllowed`.
 
+   .. automethod:: __new__
diff --git a/docs/narr/advanced-features.rst b/docs/narr/advanced-features.rst
index 8d99f7291..6e819ff5b 100644
--- a/docs/narr/advanced-features.rst
+++ b/docs/narr/advanced-features.rst
@@ -34,7 +34,7 @@ For our example above, you can do this instead:
 .. code-block:: python
     :linenos:
 
-    @view_config(route_name="items", effective_principals=pyramid.security.Authenticated)
+    @view_config(route_name="items", effective_principals=pyramid.authorization.Authenticated)
     def auth_view(request):
         # do one thing
 
diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index b4203161e..10e9df78d 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -330,14 +330,13 @@ Pyramid provides :class:`pyramid.authorization.ACLHelper` to assist with an
 ACL-based implementation of ``permits``.  Application-specific code should
 construct a list of principals for the user and call
 :meth:`pyramid.authorization.ACLHelper.permits`, which will return an
-:class:`pyramid.security.ACLAllowed` or :class:`pyramid.security.ACLDenied`
+:class:`pyramid.authorization.ACLAllowed` or :class:`pyramid.authorization.ACLDenied`
 object.  An implementation might look like this:
 
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Everyone, Authenticated
-    from pyramid.authorization import ACLHelper
+    from pyramid.authorization import ACLHelper, Everyone, Authenticated
 
     class SecurityPolicy:
         def permits(self, request, context, permission):
@@ -358,8 +357,8 @@ For example, an ACL might be attached to the resource for a blog via its class:
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Everyone
 
     class Blog(object):
         __acl__ = [
@@ -374,8 +373,8 @@ Or, if your resources are persistent, an ACL might be specified via the
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Everyone
 
     class Blog(object):
         pass
@@ -401,8 +400,8 @@ properties of the instance.
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Everyone
 
     class Blog(object):
         def __acl__(self):
@@ -435,8 +434,8 @@ Here's an example ACL:
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Everyone
 
     __acl__ = [
         (Allow, Everyone, 'view'),
@@ -444,7 +443,7 @@ Here's an example ACL:
         (Allow, 'group:editors', 'edit'),
     ]
 
-The example ACL indicates that the :data:`pyramid.security.Everyone`
+The example ACL indicates that the :data:`pyramid.authorization.Everyone`
 principal—a special system-defined principal indicating, literally, everyone—is
 allowed to view the blog, and the ``group:editors`` principal is allowed to add
 to and edit the blog.
@@ -453,8 +452,8 @@ Each element of an ACL is an :term:`ACE`, or access control entry. For example,
 in the above code block, there are three ACEs: ``(Allow, Everyone, 'view')``,
 ``(Allow, 'group:editors', 'add')``, and ``(Allow, 'group:editors', 'edit')``.
 
-The first element of any ACE is either :data:`pyramid.security.Allow`, or
-:data:`pyramid.security.Deny`, representing the action to take when the ACE
+The first element of any ACE is either :data:`pyramid.authorization.Allow`, or
+:data:`pyramid.authorization.Deny`, representing the action to take when the ACE
 matches.  The second element is a :term:`principal`.  The third argument is a
 permission or sequence of permission names.
 
@@ -467,9 +466,9 @@ dictated by the ACL*.  So if you have an ACL like this:
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Deny
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Deny
+    from pyramid.authorization import Everyone
 
     __acl__ = [
         (Allow, Everyone, 'view'),
@@ -483,9 +482,9 @@ hand, if you have an ACL like this:
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Everyone
-    from pyramid.security import Allow
-    from pyramid.security import Deny
+    from pyramid.authorization import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Deny
 
     __acl__ = [
         (Deny, Everyone, 'view'),
@@ -503,8 +502,8 @@ can collapse this into a single ACE, as below.
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import Everyone
+    from pyramid.authorization import Allow
+    from pyramid.authorization import Everyone
 
     __acl__ = [
         (Allow, Everyone, 'view'),
@@ -520,17 +519,17 @@ can collapse this into a single ACE, as below.
 Special Principal Names
 -----------------------
 
-Special principal names exist in the :mod:`pyramid.security` module.  They can
+Special principal names exist in the :mod:`pyramid.authorization` module.  They can
 be imported for use in your own code to populate ACLs, e.g.,
-:data:`pyramid.security.Everyone`.
+:data:`pyramid.authorization.Everyone`.
 
-:data:`pyramid.security.Everyone`
+:data:`pyramid.authorization.Everyone`
 
   Literally, everyone, no matter what.  This object is actually a string under
   the hood (``system.Everyone``).  Every user *is* the principal named
   "Everyone" during every request, even if a security policy is not in use.
 
-:data:`pyramid.security.Authenticated`
+:data:`pyramid.authorization.Authenticated`
 
   Any user with credentials as determined by the current security policy.  You
   might think of it as any user that is "logged in".  This object is actually a
@@ -543,12 +542,12 @@ be imported for use in your own code to populate ACLs, e.g.,
 Special Permissions
 -------------------
 
-Special permission names exist in the :mod:`pyramid.security` module.  These
+Special permission names exist in the :mod:`pyramid.authorization` module.  These
 can be imported for use in ACLs.
 
 .. _all_permissions:
 
-:data:`pyramid.security.ALL_PERMISSIONS`
+:data:`pyramid.authorization.ALL_PERMISSIONS`
 
   An object representing, literally, *all* permissions.  Useful in an ACL like
   so: ``(Allow, 'fred', ALL_PERMISSIONS)``.  The ``ALL_PERMISSIONS`` object is
@@ -565,7 +564,7 @@ Special ACEs
 ------------
 
 A convenience :term:`ACE` is defined representing a deny to everyone of all
-permissions in :data:`pyramid.security.DENY_ALL`.  This ACE is often used as
+permissions in :data:`pyramid.authorization.DENY_ALL`.  This ACE is often used as
 the *last* ACE of an ACL to explicitly cause inheriting authorization policies
 to "stop looking up the traversal tree" (effectively breaking any inheritance).
 For example, an ACL which allows *only* ``fred`` the view permission for a
@@ -574,18 +573,18 @@ particular resource, despite what inherited ACLs may say, might look like so:
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import Allow
-    from pyramid.security import DENY_ALL
+    from pyramid.authorization import Allow
+    from pyramid.authorization import DENY_ALL
 
     __acl__ = [ (Allow, 'fred', 'view'), DENY_ALL ]
 
-Under the hood, the :data:`pyramid.security.DENY_ALL` ACE equals the
+Under the hood, the :data:`pyramid.authorization.DENY_ALL` ACE equals the
 following:
 
 .. code-block:: python
     :linenos:
 
-    from pyramid.security import ALL_PERMISSIONS
+    from pyramid.authorization import ALL_PERMISSIONS
     __acl__ = [ (Deny, Everyone, ALL_PERMISSIONS) ]
 
 .. index::
@@ -681,7 +680,7 @@ security within view functions imperatively.  It returns instances of objects
 that are effectively booleans.  But these objects are not raw ``True`` or
 ``False`` objects, and have information attached to them about why the
 permission was allowed or denied.  The object will be one of
-:data:`pyramid.security.ACLAllowed`, :data:`pyramid.security.ACLDenied`,
+:data:`pyramid.authorization.ACLAllowed`, :data:`pyramid.authorization.ACLDenied`,
 :data:`pyramid.security.Allowed`, or :data:`pyramid.security.Denied`, as
 documented in :ref:`security_module`.  At the very minimum, these objects will
 have a ``msg`` attribute, which is a string indicating why the permission was
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index 5ba965def..891d294d7 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -501,7 +501,7 @@ configured view.
   :meth:`pyramid.request.Request.effective_principals` method indicates that
   every principal named in the argument list is present in the current request,
   this predicate will return True; otherwise it will return False.  For
-  example: ``effective_principals=pyramid.security.Authenticated`` or
+  example: ``effective_principals=pyramid.authorization.Authenticated`` or
   ``effective_principals=('fred', 'group:admins')``.
 
   .. versionadded:: 1.4a4
diff --git a/docs/quick_tutorial/authorization/tutorial/resources.py b/docs/quick_tutorial/authorization/tutorial/resources.py
index 0cb656f12..b125cf083 100644
--- a/docs/quick_tutorial/authorization/tutorial/resources.py
+++ b/docs/quick_tutorial/authorization/tutorial/resources.py
@@ -1,4 +1,4 @@
-from pyramid.security import Allow, Everyone
+from pyramid.authorization import Allow, Everyone
 
 
 class Root(object):
@@ -6,4 +6,4 @@ class Root(object):
                (Allow, 'group:editors', 'edit')]
 
     def __init__(self, request):
-        pass
\ No newline at end of file
+        pass
diff --git a/docs/quick_tutorial/authorization/tutorial/security.py b/docs/quick_tutorial/authorization/tutorial/security.py
index 5b3e04a5f..53e3536fc 100644
--- a/docs/quick_tutorial/authorization/tutorial/security.py
+++ b/docs/quick_tutorial/authorization/tutorial/security.py
@@ -1,7 +1,10 @@
 import bcrypt
 from pyramid.authentication import AuthTktCookieHelper
-from pyramid.authorization import ACLHelper
-from pyramid.security import Authenticated, Everyone
+from pyramid.authorization import (
+    ACLHelper,
+    Authenticated,
+    Everyone,
+)
 
 
 def hash_password(pw):
diff --git a/docs/quick_tutorial/authorization/tutorial/views.py b/docs/quick_tutorial/authorization/tutorial/views.py
index 3876efb1c..b9c828086 100644
--- a/docs/quick_tutorial/authorization/tutorial/views.py
+++ b/docs/quick_tutorial/authorization/tutorial/views.py
@@ -2,13 +2,13 @@ from pyramid.httpexceptions import HTTPFound
 from pyramid.security import (
     remember,
     forget,
-    )
+)
 
 from pyramid.view import (
     view_config,
     view_defaults,
     forbidden_view_config
-    )
+)
 
 from .security import (
     USERS,
diff --git a/docs/quick_tutorial/databases/tutorial/models.py b/docs/quick_tutorial/databases/tutorial/models.py
index 8e6649d49..bbfd480bb 100644
--- a/docs/quick_tutorial/databases/tutorial/models.py
+++ b/docs/quick_tutorial/databases/tutorial/models.py
@@ -1,4 +1,4 @@
-from pyramid.security import Allow, Everyone
+from pyramid.authorization import Allow, Everyone
 
 from sqlalchemy import (
     Column,
diff --git a/docs/tutorials/wiki/authorization.rst b/docs/tutorials/wiki/authorization.rst
index 995dfa729..3c9913d8c 100644
--- a/docs/tutorials/wiki/authorization.rst
+++ b/docs/tutorials/wiki/authorization.rst
@@ -108,8 +108,8 @@ For our application we've defined a list of a few principals:
 
 - ``u:<userid>``
 - ``group:editor``
-- :attr:`pyramid.security.Authenticated`
-- :attr:`pyramid.security.Everyone`
+- :attr:`pyramid.authorization.Authenticated`
+- :attr:`pyramid.authorization.Everyone`
 
 Various wiki pages will grant some of these principals access to edit existing or add new pages.
 
@@ -176,9 +176,9 @@ Add the following lines to the ``Wiki`` class:
     :emphasize-lines: 4-7
     :language: python
 
-We import :data:`~pyramid.security.Allow`, an action which means that
+We import :data:`~pyramid.authorization.Allow`, an action which means that
 permission is allowed.
-We also import :data:`~pyramid.security.Everyone`, a special :term:`principal` that is associated to all requests.
+We also import :data:`~pyramid.authorization.Everyone`, a special :term:`principal` that is associated to all requests.
 Both are used in the :term:`ACE` entries that make up the ACL.
 
 The ACL is a list that needs to be named ``__acl__`` and be an attribute of a class.
diff --git a/docs/tutorials/wiki/src/authorization/tutorial/models/__init__.py b/docs/tutorials/wiki/src/authorization/tutorial/models/__init__.py
index 64ae4bf5c..580ea41c5 100644
--- a/docs/tutorials/wiki/src/authorization/tutorial/models/__init__.py
+++ b/docs/tutorials/wiki/src/authorization/tutorial/models/__init__.py
@@ -1,11 +1,11 @@
 from persistent import Persistent
 from persistent.mapping import PersistentMapping
-
-from pyramid.security import (
+from pyramid.authorization import (
     Allow,
     Everyone,
 )
 
+
 class Wiki(PersistentMapping):
     __name__ = None
     __parent__ = None
diff --git a/docs/tutorials/wiki/src/authorization/tutorial/security.py b/docs/tutorials/wiki/src/authorization/tutorial/security.py
index 9f51aa54c..f4445578e 100644
--- a/docs/tutorials/wiki/src/authorization/tutorial/security.py
+++ b/docs/tutorials/wiki/src/authorization/tutorial/security.py
@@ -1,7 +1,7 @@
 import bcrypt
 from pyramid.authentication import AuthTktCookieHelper
-from pyramid.authorization import ACLHelper
-from pyramid.security import (
+from pyramid.authorization import (
+    ACLHelper,
     Authenticated,
     Everyone,
 )
diff --git a/docs/tutorials/wiki/src/tests/tutorial/models/__init__.py b/docs/tutorials/wiki/src/tests/tutorial/models/__init__.py
index 64ae4bf5c..580ea41c5 100644
--- a/docs/tutorials/wiki/src/tests/tutorial/models/__init__.py
+++ b/docs/tutorials/wiki/src/tests/tutorial/models/__init__.py
@@ -1,11 +1,11 @@
 from persistent import Persistent
 from persistent.mapping import PersistentMapping
-
-from pyramid.security import (
+from pyramid.authorization import (
     Allow,
     Everyone,
 )
 
+
 class Wiki(PersistentMapping):
     __name__ = None
     __parent__ = None
diff --git a/docs/tutorials/wiki/src/tests/tutorial/security.py b/docs/tutorials/wiki/src/tests/tutorial/security.py
index 9f51aa54c..f4445578e 100644
--- a/docs/tutorials/wiki/src/tests/tutorial/security.py
+++ b/docs/tutorials/wiki/src/tests/tutorial/security.py
@@ -1,7 +1,7 @@
 import bcrypt
 from pyramid.authentication import AuthTktCookieHelper
-from pyramid.authorization import ACLHelper
-from pyramid.security import (
+from pyramid.authorization import (
+    ACLHelper,
     Authenticated,
     Everyone,
 )
diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 001bde935..38b9b7373 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -30,7 +30,7 @@ identifiers that are easier to generalize. The permissions are then written
 against the principals without focusing on the exact user involved.
 
 :app:`Pyramid` defines two builtin principals used in every application:
-:attr:`pyramid.security.Everyone` and :attr:`pyramid.security.Authenticated`.
+:attr:`pyramid.authorization.Everyone` and :attr:`pyramid.authorization.Authenticated`.
 On top of these we have already mentioned the required principals for this
 application in the original design. The user has two possible roles: ``editor``
 or ``basic``. These will be prefixed by the string ``role:`` to avoid clashing
@@ -40,7 +40,7 @@ Open the file ``tutorial/security.py`` and edit it as follows:
 
 .. literalinclude:: src/authorization/tutorial/security.py
    :linenos:
-   :emphasize-lines: 2,5-8,17,42-53
+   :emphasize-lines: 2-6,17,42-53
    :language: python
 
 Only the highlighted lines need to be added.
diff --git a/docs/tutorials/wiki2/src/authorization/tutorial/routes.py b/docs/tutorials/wiki2/src/authorization/tutorial/routes.py
index f016d7541..f7bbe6011 100644
--- a/docs/tutorials/wiki2/src/authorization/tutorial/routes.py
+++ b/docs/tutorials/wiki2/src/authorization/tutorial/routes.py
@@ -1,11 +1,11 @@
+from pyramid.authorization import (
+    Allow,
+    Everyone,
+)
 from pyramid.httpexceptions import (
     HTTPNotFound,
     HTTPSeeOther,
 )
-from pyramid.security import (
-    Allow,
-    Everyone,
-)
 
 from . import models
 
diff --git a/docs/tutorials/wiki2/src/authorization/tutorial/security.py b/docs/tutorials/wiki2/src/authorization/tutorial/security.py
index 7a99fb9e9..5a9d4bbf2 100644
--- a/docs/tutorials/wiki2/src/authorization/tutorial/security.py
+++ b/docs/tutorials/wiki2/src/authorization/tutorial/security.py
@@ -1,11 +1,11 @@
 from pyramid.authentication import AuthTktCookieHelper
-from pyramid.authorization import ACLHelper
-from pyramid.csrf import CookieCSRFStoragePolicy
-from pyramid.request import RequestLocalCache
-from pyramid.security import (
+from pyramid.authorization import (
+    ACLHelper,
     Authenticated,
     Everyone,
 )
+from pyramid.csrf import CookieCSRFStoragePolicy
+from pyramid.request import RequestLocalCache
 
 from . import models
 
diff --git a/docs/tutorials/wiki2/src/tests/tutorial/routes.py b/docs/tutorials/wiki2/src/tests/tutorial/routes.py
index f016d7541..7070884d3 100644
--- a/docs/tutorials/wiki2/src/tests/tutorial/routes.py
+++ b/docs/tutorials/wiki2/src/tests/tutorial/routes.py
@@ -2,7 +2,7 @@ from pyramid.httpexceptions import (
     HTTPNotFound,
     HTTPSeeOther,
 )
-from pyramid.security import (
+from pyramid.authorization import (
     Allow,
     Everyone,
 )
diff --git a/docs/tutorials/wiki2/src/tests/tutorial/security.py b/docs/tutorials/wiki2/src/tests/tutorial/security.py
index 7a99fb9e9..5a9d4bbf2 100644
--- a/docs/tutorials/wiki2/src/tests/tutorial/security.py
+++ b/docs/tutorials/wiki2/src/tests/tutorial/security.py
@@ -1,11 +1,11 @@
 from pyramid.authentication import AuthTktCookieHelper
-from pyramid.authorization import ACLHelper
-from pyramid.csrf import CookieCSRFStoragePolicy
-from pyramid.request import RequestLocalCache
-from pyramid.security import (
+from pyramid.authorization import (
+    ACLHelper,
     Authenticated,
     Everyone,
 )
+from pyramid.csrf import CookieCSRFStoragePolicy
+from pyramid.request import RequestLocalCache
 
 from . import models
 
diff --git a/docs/whatsnew-2.0.rst b/docs/whatsnew-2.0.rst
index d5f825c43..a58f317d7 100644
--- a/docs/whatsnew-2.0.rst
+++ b/docs/whatsnew-2.0.rst
@@ -95,4 +95,4 @@ The new :attr:`pyramid.request.Request.authenticated_identity` property will
 output the same result as :attr:`pyramid.request.Request.authenticated_userid`.
 
 If using a security policy, :attr:`pyramid.request.Request.unauthenticated_userid` will return the same value as :attr:`pyramid.request.Request.authenticated_userid`.
-:attr:`pyramid.request.Request.effective_principals` will always return a one-element list containing the :data:`pyramid.security.Everyone` principal, as there is no equivalent in the new security policy.
+:attr:`pyramid.request.Request.effective_principals` will always return a one-element list containing the :data:`pyramid.authorization.Everyone` principal, as there is no equivalent in the new security policy.