2 files changed, 33 insertions, 10 deletions

diff --git a/pyramid/authorization.py b/pyramid/authorization.py
index f27369172..ae20aabfd 100644
--- a/pyramid/authorization.py
+++ b/pyramid/authorization.py
@@ -115,18 +115,18 @@ class ACLAuthorizationPolicy(object):
             for ace_action, ace_principal, ace_permissions in acl:
                 if not hasattr(ace_permissions, '__iter__'):
                     ace_permissions = [ace_permissions]
-                if ace_action == Allow and permission in ace_permissions:
+                if (ace_action == Allow) and (permission in ace_permissions):
                     if not ace_principal in denied_here:
                         allowed_here.add(ace_principal)
-                if ace_action == Deny and permission in ace_permissions:
-                    denied_here.add(ace_principal)
-                    if ace_principal == Everyone:
-                        # clear the entire allowed set, as we've hit a
-                        # deny of Everyone ala (Deny, Everyone, ALL)
-                        allowed = set()
-                        break
-                    elif ace_principal in allowed:
-                        allowed.remove(ace_principal)
+                if (ace_action == Deny) and (permission in ace_permissions):
+                        denied_here.add(ace_principal)
+                        if ace_principal == Everyone:
+                            # clear the entire allowed set, as we've hit a
+                            # deny of Everyone ala (Deny, Everyone, ALL)
+                            allowed = set()
+                            break
+                        elif ace_principal in allowed:
+                            allowed.remove(ace_principal)
 
             allowed.update(allowed_here)
 
diff --git a/pyramid/tests/test_authorization.py b/pyramid/tests/test_authorization.py
index c4b2fb142..ed461e2ba 100644
--- a/pyramid/tests/test_authorization.py
+++ b/pyramid/tests/test_authorization.py
@@ -169,6 +169,29 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         result = sorted(policy.principals_allowed_by_permission(context,'read'))
         self.assertEqual(result, [])
 
+    def test_principals_allowed_by_permission_deny_not_permission_in_acl(self):
+        from pyramid.security import Deny
+        from pyramid.security import Everyone
+        context = DummyContext()
+        acl = [ (Deny, Everyone, 'write') ]
+        context.__acl__ = acl
+        policy = self._makeOne()
+        result = sorted(
+            policy.principals_allowed_by_permission(context, 'read'))
+        self.assertEqual(result, [])
+
+    def test_principals_allowed_by_permission_deny_permission_in_acl(self):
+        from pyramid.security import Deny
+        from pyramid.security import Everyone
+        context = DummyContext()
+        acl = [ (Deny, Everyone, 'read') ]
+        context.__acl__ = acl
+        policy = self._makeOne()
+        result = sorted(
+            policy.principals_allowed_by_permission(context, 'read'))
+        self.assertEqual(result, [])
+        
+
 class DummyContext:
     def __init__(self, *arg, **kw):
         self.__dict__.update(kw)