diff options
| -rw-r--r-- | docs/narr/security.rst | 12 | ||||
| -rw-r--r-- | src/pyramid/interfaces.py | 2 | ||||
| -rw-r--r-- | src/pyramid/security.py | 6 | ||||
| -rw-r--r-- | src/pyramid/testing.py | 2 | ||||
| -rw-r--r-- | src/pyramid/viewderivers.py | 9 | ||||
| -rw-r--r-- | tests/pkgs/securityapp/__init__.py | 4 | ||||
| -rw-r--r-- | tests/test_config/test_views.py | 6 | ||||
| -rw-r--r-- | tests/test_security.py | 7 | ||||
| -rw-r--r-- | tests/test_testing.py | 2 | ||||
| -rw-r--r-- | tests/test_viewderivers.py | 2 |
10 files changed, 29 insertions, 23 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index b01bec903..07b7fe825 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -80,9 +80,8 @@ A simple security policy might look like the following: """ Return a string ID for the user. """ return self.identify(request).id - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): """ Allow access to everything if signed in. """ - identity = self.identify(request) if identity is not None: return Allowed('User is signed in.') else: @@ -148,9 +147,8 @@ For example, our above security policy can leverage these helpers like so: def authenticated_userid(self, request): return self.identify(request).id - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): """ Allow access to everything if signed in. """ - identity = self.identify(request) if identity is not None: return Allowed('User is signed in.') else: @@ -238,9 +236,7 @@ might look like so: from pyramid.security import Allowed, Denied class SecurityPolicy: - def permits(self, request, context, permission): - identity = self.identify(request) - + def permits(self, request, context, identity, permission): if identity is None: return Denied('User is not signed in.') if identity.role == 'admin': @@ -330,7 +326,7 @@ object. An implementation might look like this: from pyramid.authorization import ACLHelper class SecurityPolicy: - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): principals = [Everyone] if identity is not None: principals.append(Authenticated) diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 891b851ee..d20401028 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -494,7 +494,7 @@ class ISecurityPolicy(Interface): verified user, or ``None`` if unauthenticated. """ - def permits(request, context, permission): + def permits(request, context, identity, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current ``context``, else return an instance of diff --git a/src/pyramid/security.py b/src/pyramid/security.py index e3a978c52..d6af69e51 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -351,7 +351,9 @@ class SecurityAPIMixin: policy = _get_security_policy(self) if policy is None: return Allowed('No security policy in use.') - return policy.permits(self, context, permission) + return policy.permits( + self, context, self.authenticated_identity, permission + ) class AuthenticationAPIMixin(object): @@ -447,7 +449,7 @@ class LegacySecurityPolicy: authn = self._get_authn_policy(request) return authn.forget(request) - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): authn = self._get_authn_policy(request) authz = self._get_authz_policy(request) principals = authn.effective_principals(request) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index a92bb5d03..f550156dd 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -64,7 +64,7 @@ class DummySecurityPolicy(object): def authenticated_userid(self, request): return self.userid - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): return self.permissive def remember(self, request, userid, **kw): diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 7c28cbf85..35f9a08d2 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -316,7 +316,8 @@ def _secured_view(view, info): if policy and (permission is not None): def permitted(context, request): - return policy.permits(request, context, permission) + identity = policy.identify(request) + return policy.permits(request, context, identity, permission) def secured_view(context, request): result = permitted(context, request) @@ -362,8 +363,10 @@ def _authdebug_view(view, info): elif permission is None: msg = 'Allowed (no permission registered)' else: - result = policy.permits(request, context, permission) - msg = str(result) + identity = policy.identify(request) + msg = str( + policy.permits(request, context, identity, permission) + ) else: msg = 'Allowed (no security policy in use)' diff --git a/tests/pkgs/securityapp/__init__.py b/tests/pkgs/securityapp/__init__.py index 6c9025e7d..caf65ad4c 100644 --- a/tests/pkgs/securityapp/__init__.py +++ b/tests/pkgs/securityapp/__init__.py @@ -4,12 +4,12 @@ from pyramid.security import Allowed, Denied class SecurityPolicy: def identify(self, request): - raise NotImplementedError() # pragma: no cover + return self.authenticated_userid(request) def authenticated_userid(self, request): return request.environ.get('REMOTE_USER') - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): userid = self.authenticated_userid(request) if userid and permission == 'foo': return Allowed('') diff --git a/tests/test_config/test_views.py b/tests/test_config/test_views.py index a474d3754..a1e975756 100644 --- a/tests/test_config/test_views.py +++ b/tests/test_config/test_views.py @@ -2045,9 +2045,10 @@ class TestViewsConfigurationMixin(unittest.TestCase): outerself.assertEqual(r, request) return 123 - def permits(self, r, context, permission): + def permits(self, r, context, identity, permission): outerself.assertEqual(r, request) outerself.assertEqual(context, None) + outerself.assertEqual(identity, 123) outerself.assertEqual(permission, 'view') return True @@ -2069,9 +2070,10 @@ class TestViewsConfigurationMixin(unittest.TestCase): outerself.assertEqual(r, request) return 123 - def permits(self, r, context, permission): + def permits(self, r, context, identity, permission): outerself.assertEqual(r, request) outerself.assertEqual(context, None) + outerself.assertEqual(identity, 123) outerself.assertEqual(permission, 'view') return True diff --git a/tests/test_security.py b/tests/test_security.py index 1c969e305..3896e008d 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -480,7 +480,10 @@ class TestLegacySecurityPolicy(unittest.TestCase): _registerAuthenticationPolicy(request.registry, ['p1', 'p2']) _registerAuthorizationPolicy(request.registry, True) - self.assertTrue(policy.permits(request, request.context, 'permission')) + self.assertIs( + policy.permits(request, request.context, 'userid', 'permission'), + True, + ) _TEST_HEADER = 'X-Pyramid-Test' @@ -501,7 +504,7 @@ class DummySecurityPolicy: def authenticated_userid(self, request): return self.result - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): return self.result def remember(self, request, userid, **kw): diff --git a/tests/test_testing.py b/tests/test_testing.py index 6eb474f65..a329b0a04 100644 --- a/tests/test_testing.py +++ b/tests/test_testing.py @@ -33,7 +33,7 @@ class TestDummySecurityPolicy(unittest.TestCase): def test_permits(self): policy = self._makeOne() - self.assertTrue(policy.permits(None, None, None)) + self.assertEqual(policy.permits(None, None, None, None), True) def test_forget(self): policy = self._makeOne() diff --git a/tests/test_viewderivers.py b/tests/test_viewderivers.py index f1aa00e5b..48a564c7b 100644 --- a/tests/test_viewderivers.py +++ b/tests/test_viewderivers.py @@ -2089,7 +2089,7 @@ class DummySecurityPolicy: def authenticated_userid(self, request): return 123 - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): return self.permitted |