diff options
| -rw-r--r-- | docs/narr/security.rst | 12 | ||||
| -rw-r--r-- | src/pyramid/interfaces.py | 2 | ||||
| -rw-r--r-- | src/pyramid/security.py | 6 | ||||
| -rw-r--r-- | src/pyramid/testing.py | 2 | ||||
| -rw-r--r-- | src/pyramid/viewderivers.py | 9 | ||||
| -rw-r--r-- | tests/pkgs/securityapp/__init__.py | 4 | ||||
| -rw-r--r-- | tests/test_config/test_views.py | 6 | ||||
| -rw-r--r-- | tests/test_security.py | 7 | ||||
| -rw-r--r-- | tests/test_testing.py | 2 | ||||
| -rw-r--r-- | tests/test_viewderivers.py | 2 |
10 files changed, 23 insertions, 29 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index aac9eeb7b..cdc16b6a1 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -80,8 +80,9 @@ A simple security policy might look like the following: """ Return a string ID for the user. """ return self.identify(request).id - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): """ Allow access to everything if signed in. """ + identity = self.identify(request) if identity is not None: return Allowed('User is signed in.') else: @@ -147,8 +148,9 @@ For example, our above security policy can leverage these helpers like so: def authenticated_userid(self, request): return self.identify(request).id - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): """ Allow access to everything if signed in. """ + identity = self.identify(request) if identity is not None: return Allowed('User is signed in.') else: @@ -236,7 +238,9 @@ might look like so: from pyramid.security import Allowed, Denied class SecurityPolicy: - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): + identity = self.identify(request) + if identity is None: return Denied('User is not signed in.') if identity.role == 'admin': @@ -326,7 +330,7 @@ object. An implementation might look like this: from pyramid.authorization import ACLHelper class SecurityPolicy: - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): principals = [Everyone] if identity is not None: principals.append(Authenticated) diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index d20401028..891b851ee 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -494,7 +494,7 @@ class ISecurityPolicy(Interface): verified user, or ``None`` if unauthenticated. """ - def permits(request, context, identity, permission): + def permits(request, context, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current ``context``, else return an instance of diff --git a/src/pyramid/security.py b/src/pyramid/security.py index d6af69e51..e3a978c52 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -351,9 +351,7 @@ class SecurityAPIMixin: policy = _get_security_policy(self) if policy is None: return Allowed('No security policy in use.') - return policy.permits( - self, context, self.authenticated_identity, permission - ) + return policy.permits(self, context, permission) class AuthenticationAPIMixin(object): @@ -449,7 +447,7 @@ class LegacySecurityPolicy: authn = self._get_authn_policy(request) return authn.forget(request) - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): authn = self._get_authn_policy(request) authz = self._get_authz_policy(request) principals = authn.effective_principals(request) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index f550156dd..a92bb5d03 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -64,7 +64,7 @@ class DummySecurityPolicy(object): def authenticated_userid(self, request): return self.userid - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): return self.permissive def remember(self, request, userid, **kw): diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 35f9a08d2..7c28cbf85 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -316,8 +316,7 @@ def _secured_view(view, info): if policy and (permission is not None): def permitted(context, request): - identity = policy.identify(request) - return policy.permits(request, context, identity, permission) + return policy.permits(request, context, permission) def secured_view(context, request): result = permitted(context, request) @@ -363,10 +362,8 @@ def _authdebug_view(view, info): elif permission is None: msg = 'Allowed (no permission registered)' else: - identity = policy.identify(request) - msg = str( - policy.permits(request, context, identity, permission) - ) + result = policy.permits(request, context, permission) + msg = str(result) else: msg = 'Allowed (no security policy in use)' diff --git a/tests/pkgs/securityapp/__init__.py b/tests/pkgs/securityapp/__init__.py index caf65ad4c..6c9025e7d 100644 --- a/tests/pkgs/securityapp/__init__.py +++ b/tests/pkgs/securityapp/__init__.py @@ -4,12 +4,12 @@ from pyramid.security import Allowed, Denied class SecurityPolicy: def identify(self, request): - return self.authenticated_userid(request) + raise NotImplementedError() # pragma: no cover def authenticated_userid(self, request): return request.environ.get('REMOTE_USER') - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): userid = self.authenticated_userid(request) if userid and permission == 'foo': return Allowed('') diff --git a/tests/test_config/test_views.py b/tests/test_config/test_views.py index a1e975756..a474d3754 100644 --- a/tests/test_config/test_views.py +++ b/tests/test_config/test_views.py @@ -2045,10 +2045,9 @@ class TestViewsConfigurationMixin(unittest.TestCase): outerself.assertEqual(r, request) return 123 - def permits(self, r, context, identity, permission): + def permits(self, r, context, permission): outerself.assertEqual(r, request) outerself.assertEqual(context, None) - outerself.assertEqual(identity, 123) outerself.assertEqual(permission, 'view') return True @@ -2070,10 +2069,9 @@ class TestViewsConfigurationMixin(unittest.TestCase): outerself.assertEqual(r, request) return 123 - def permits(self, r, context, identity, permission): + def permits(self, r, context, permission): outerself.assertEqual(r, request) outerself.assertEqual(context, None) - outerself.assertEqual(identity, 123) outerself.assertEqual(permission, 'view') return True diff --git a/tests/test_security.py b/tests/test_security.py index a555fd7f6..f39e3c730 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -489,10 +489,7 @@ class TestLegacySecurityPolicy(unittest.TestCase): _registerAuthenticationPolicy(request.registry, ['p1', 'p2']) _registerAuthorizationPolicy(request.registry, True) - self.assertIs( - policy.permits(request, request.context, 'userid', 'permission'), - True, - ) + self.assertTrue(policy.permits(request, request.context, 'permission')) _TEST_HEADER = 'X-Pyramid-Test' @@ -513,7 +510,7 @@ class DummySecurityPolicy: def authenticated_userid(self, request): return self.result - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): return self.result def remember(self, request, userid, **kw): diff --git a/tests/test_testing.py b/tests/test_testing.py index 22bc7332b..be519cd15 100644 --- a/tests/test_testing.py +++ b/tests/test_testing.py @@ -37,7 +37,7 @@ class TestDummySecurityPolicy(unittest.TestCase): def test_permits(self): policy = self._makeOne() - self.assertEqual(policy.permits(None, None, None, None), True) + self.assertTrue(policy.permits(None, None, None)) def test_forget(self): policy = self._makeOne() diff --git a/tests/test_viewderivers.py b/tests/test_viewderivers.py index e47296b50..ba10eeaac 100644 --- a/tests/test_viewderivers.py +++ b/tests/test_viewderivers.py @@ -2086,7 +2086,7 @@ class DummySecurityPolicy: def identify(self, request): return 123 - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): return self.permitted |