- It is no longer permissible for a security ACE to contain a "nested"

  list of permissions (e.g. ``(Allow, Everyone, ['read', ['view',
  ['write', 'manage']]])`)`.  The list must instead be fully expanded
  (e.g. ``(Allow, Everyone, ['read', 'view', 'write', 'manage])``).  This
  feature was never documented, and was never an API, so it's not a
  backwards incompatibility.

2 files changed, 2 insertions, 47 deletions

diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py
index edb7871d8..1ee7b28a0 100644
--- a/repoze/bfg/security.py
+++ b/repoze/bfg/security.py
@@ -81,9 +81,7 @@ class ACLSecurityPolicy(object):
             for ace in acl:
                 ace_action, ace_principal, ace_permissions = ace
                 if ace_principal in principals:
-                    if hasattr(ace_permissions, '__iter__'):
-                        ace_permissions = _flatten(ace_permissions)
-                    else:
+                    if not hasattr(ace_permissions, '__iter__'):
                         ace_permissions = [ace_permissions]
                     if permission in ace_permissions:
                         if ace_action == Allow:
@@ -126,9 +124,7 @@ class ACLSecurityPolicy(object):
 
             for ace_action, ace_principal, ace_permissions in acl:
                 if ace_action == Allow:
-                    if hasattr(ace_permissions, '__iter__'):
-                        ace_permissions = _flatten(ace_permissions)
-                    else:
+                    if not hasattr(ace_permissions, '__iter__'):
                         ace_permissions = [ace_permissions]
                     if permission in ace_permissions:
                         allowed[ace_principal] = True
@@ -295,26 +291,6 @@ class ACLAllowed(ACLPermitsResult):
     as he ``msg`` attribute."""
     boolval = 1
 
-def _flatten(iterable):
-    """flatten(sequence) -> list
-
-    Returns a single, flat list which contains all elements retrieved
-    from the sequence and all recursively contained sub-sequences
-    (iterables).
-
-    Examples:
-    >>> [1, 2, [3,4], (5,6)]
-    [1, 2, [3, 4], (5, 6)]
-    >>> flatten([[[1,2,3], (42,None)], [4,5], [6], 7, MyVector(8,9,10)])
-    [1, 2, 3, 42, None, 4, 5, 6, 7, 8, 9, 10]"""
-    result = []
-    for el in iterable:
-        if hasattr(el, "__iter__"):
-            result.extend(_flatten(el))
-        else:
-            result.append(el)
-    return result
-
 class ViewPermission(object):
     implements(IViewPermission)
     def __init__(self, context, request, permission_name):
diff --git a/repoze/bfg/tests/test_security.py b/repoze/bfg/tests/test_security.py
index 3ee89d9c3..69b92cd2f 100644
--- a/repoze/bfg/tests/test_security.py
+++ b/repoze/bfg/tests/test_security.py
@@ -531,27 +531,6 @@ class TestACLDenied(unittest.TestCase):
         self.failUnless('<ACLDenied instance at ' in repr(denied))
         self.failUnless("with msg %r>" % msg in repr(denied))
 
-class TestFlatten(unittest.TestCase):
-    def _callFUT(self, item):
-        from repoze.bfg.security import _flatten
-        return _flatten(item)
-
-    def test_flat_sequence(self):
-        result = self._callFUT([1, 2, 3])
-        self.assertEqual(result, [1, 2, 3])
-
-    def test_singly_nested_sequence(self):
-        result = self._callFUT([1, [2, 3]])
-        self.assertEqual(result, [1, 2, 3])
-        
-    def test_doubly_nested_sequence(self):
-        result = self._callFUT([1, [2, [3]]])
-        self.assertEqual(result, [1, 2, 3])
-
-    def test_mix_str_unicode_sequence(self):
-        result = self._callFUT([1, [2, [3]], u'a', ('b', set(['c', 'd']))])
-        self.assertEqual(result, [1, 2, 3, u'a', 'b', 'c', 'd'])
-
 class DummyContext:
     pass