diff options
| -rw-r--r-- | repoze/bfg/authorization.py | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/repoze/bfg/authorization.py b/repoze/bfg/authorization.py index bc8b92b5e..05214162e 100644 --- a/repoze/bfg/authorization.py +++ b/repoze/bfg/authorization.py @@ -25,31 +25,34 @@ class ACLAuthorizationPolicy(object): context's parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies. - During this processing, if any ``Deny`` ACE is found matching - any principal in ``principals``, stop processing by returning an - ``ACLDenied`` (equals ``False``) immediately. If any ``Allow`` - ACE is found matching any principal, stop processing by - returning an ``ACLAllowed`` (equals ``True``) immediately. If - we exhaust the context's lineage, and no ACE has explicitly - permitted or denied access, return an ``ACLDenied``. This - differs from the non-inheriting security policy (the - ``ACLSecurityPolicy``) by virtue of the fact that it does not - stop looking for ACLs in the object lineage after it finds the - first one. + During this processing, if any :data:`repoze.bfg.security.Deny` + ACE is found matching any principal in ``principals``, stop + processing by returning an + :class:`repoze.bfg.security.ACLDenied` instance (equals + ``False``) immediately. If any + :data:`repoze.bfg.security.Allow` ACE is found matching any + principal, stop processing by returning an + :class:`repoze.bfg.security.ACLAllowed` instance (equals + ``True``) immediately. If we exhaust the context's + :term:`lineage`, and no ACE has explicitly permitted or denied + access, return an instance of + :class:`repoze.bfg.security.ACLDenied` (equals ``False``). - When computing principals allowed by a permission via the - ``principals_allowed_by_permission`` method, we compute the set + ``principals_allowed_by_permission``` method, we compute the set of principals that are explicitly granted the ``permission`` in the provided ``context``. We do this by walking 'up' the object graph *from the root* to the context. During this walking - process, if we find an explicit ``Allow`` ACE for a principal - that matches the ``permission``, the principal is included in - the allow list. However, if later in the walking process that - principal is mentioned in any ``Deny`` ACE for the permission, - the principal is removed from the allow list. If a ``Deny`` to - the principal ``Everyone`` is encountered during the walking - process that matches the ``permission``, the allow list is - cleared for all principals encountered in previous ACLs. The + process, if we find an explicit + :data:`repoze.bfg.security.Allow` ACE for a principal that + matches the ``permission``, the principal is included in the + allow list. However, if later in the walking process that + principal is mentioned in any :data:`repoze.bfg.security.Deny` + ACE for the permission, the principal is removed from the allow + list. If a :data:`repoze.bfg.security.Deny` to the principal + :data:`repoze.bfg.security.Everyone` is encountered during the + walking process that matches the ``permission``, the allow list + is cleared for all principals encountered in previous ACLs. The walking process ends after we've processed the any ACL directly attached to ``context``; a set of principals is returned. """ @@ -57,8 +60,10 @@ class ACLAuthorizationPolicy(object): implements(IAuthorizationPolicy) def permits(self, context, principals, permission): - """ Return ``ACLAllowed`` if the policy permits access, - ``ACLDenied`` if not. """ + """ Return an instance of + :class:`repoze.bfg.security.ACLAllowed` instance if the policy + permits access, return an instance of + :class:`repoze.bfg.security.ACLDenied` if not.""" acl = '<No ACL found on any object in model lineage>' @@ -94,7 +99,7 @@ class ACLAuthorizationPolicy(object): """ Return the set of principals explicitly granted the permission named ``permission`` according to the ACL directly attached to the ``context`` as well as inherited ACLs based on - :term:`lineage`.""" + the :term:`lineage`.""" allowed = set() for location in reversed(list(lineage(context))): |