diff options
| -rw-r--r-- | CHANGES.txt | 5 | ||||
| -rw-r--r-- | pyramid/security.py | 14 | ||||
| -rw-r--r-- | pyramid/tests/test_security.py | 18 |
3 files changed, 36 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 80d4a5dee..563851e74 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -16,6 +16,11 @@ Features - Slightly better debug logging from RepozeWho1AuthenticationPolicy. +- ``pyramid.security.view_execution_permitted`` used to return `True` if no + view could be found. It now raises a ``TypeError`` exception in that case, as + it doesn't make sense to assert that a nonexistent view is + execution-permitted. See https://github.com/Pylons/pyramid/issues/299. + 1.4a3 (2012-10-26) ================== diff --git a/pyramid/security.py b/pyramid/security.py index 4b929241e..3e25f9b2f 100644 --- a/pyramid/security.py +++ b/pyramid/security.py @@ -4,6 +4,7 @@ from pyramid.interfaces import ( IAuthenticationPolicy, IAuthorizationPolicy, ISecuredView, + IView, IViewClassifier, ) @@ -132,7 +133,13 @@ def view_execution_permitted(context, request, name=''): view using the effective authentication/authorization policies and the ``request``. Return a boolean result. If no :term:`authorization policy` is in effect, or if the view is not - protected by a permission, return ``True``.""" + protected by a permission, return ``True``. If no view can view found, + an exception will be raised. + + .. versionchanged:: 1.4a4 + An exception is raised if no view is found. + + """ try: reg = request.registry except AttributeError: @@ -140,6 +147,11 @@ def view_execution_permitted(context, request, name=''): provides = [IViewClassifier] + map_(providedBy, (request, context)) view = reg.adapters.lookup(provides, ISecuredView, name=name) if view is None: + view = reg.adapters.lookup(provides, IView, name=name) + if view is None: + raise TypeError('No registered view satisfies the constraints. ' + 'It would not make sense to claim that this view ' + '"is" or "is not" permitted.') return Allowed( 'Allowed: view name %r in context %r (no permission defined)' % (name, context)) diff --git a/pyramid/tests/test_security.py b/pyramid/tests/test_security.py index ba9538b01..e530e33ca 100644 --- a/pyramid/tests/test_security.py +++ b/pyramid/tests/test_security.py @@ -131,19 +131,37 @@ class TestViewExecutionPermitted(unittest.TestCase): return checker def test_no_permission(self): + from zope.interface import Interface from pyramid.threadlocal import get_current_registry from pyramid.interfaces import ISettings + from pyramid.interfaces import IView + from pyramid.interfaces import IViewClassifier settings = dict(debug_authorization=True) reg = get_current_registry() reg.registerUtility(settings, ISettings) context = DummyContext() request = DummyRequest({}) + class DummyView(object): + pass + view = DummyView() + reg.registerAdapter(view, (IViewClassifier, Interface, Interface), + IView, '') result = self._callFUT(context, request, '') msg = result.msg self.assertTrue("Allowed: view name '' in context" in msg) self.assertTrue('(no permission defined)' in msg) self.assertEqual(result, True) + def test_no_view_registered(self): + from pyramid.threadlocal import get_current_registry + from pyramid.interfaces import ISettings + settings = dict(debug_authorization=True) + reg = get_current_registry() + reg.registerUtility(settings, ISettings) + context = DummyContext() + request = DummyRequest({}) + self.assertRaises(TypeError, self._callFUT, context, request, '') + def test_with_permission(self): from zope.interface import Interface from zope.interface import directlyProvides |