- The ACL authorization policy debugging output when

  ``debug_authorization`` consule debugging output was turned on
  wasn't as clear as it could have been when a view execution was
  denied due to an authorization failure resulting from the set of
  principals passed never having matched any ACE in any ACL in the
  lineage.  Now in this case, we report ``<default deny>`` as the ACE
  value and either the root ACL or ``<No ACL found on any object in
  model lineage>`` if no ACL was found.

1 files changed, 11 insertions, 1 deletions

diff --git a/repoze/bfg/tests/test_authorization.py b/repoze/bfg/tests/test_authorization.py
index 8aa9b9abf..6b8c8293a 100644
--- a/repoze/bfg/tests/test_authorization.py
+++ b/repoze/bfg/tests/test_authorization.py
@@ -61,12 +61,14 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, blog)
         self.assertEqual(result.ace, (Allow, 'wilma', VIEW))
+        self.assertEqual(result.acl, blog.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'wilma'],
                                 'delete')
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view')
         self.assertEqual(result, True)
@@ -77,6 +79,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'barney'],
                                 'view')
@@ -88,6 +91,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
         
         result = policy.permits(root, [Everyone, Authenticated, 'someguy'],
                                 'view')
@@ -99,15 +103,21 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(root, [Everyone], 'view')
         self.assertEqual(result, False)
         self.assertEqual(result.context, root)
-        self.assertEqual(result.ace, None)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(result.acl, root.__acl__)
 
         context = DummyContext()
         result = policy.permits(context, [Everyone], 'view')
         self.assertEqual(result, False)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(
+            result.acl,
+            '<No ACL found on any object in model lineage>')
 
     def test_principals_allowed_by_permission_direct(self):
         from repoze.bfg.security import Allow