3 files changed, 33 insertions, 3 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 2de872afe..496a95ee8 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,18 @@
 Next release
 ============
 
+Bug Fixes
+----------
+
+- The ACL authorization policy debugging output when
+  ``debug_authorization`` consule debugging output was turned on
+  wasn't as clear as it could have been when a view execution was
+  denied due to an authorization failure resulting from the set of
+  principals passed never having matched any ACE in any ACL in the
+  lineage.  Now in this case, we report ``<default deny>`` as the ACE
+  value and either the root ACL or ``<No ACL found on any object in
+  model lineage>`` if no ACL was found.
+
 Internals
 ---------
 
diff --git a/repoze/bfg/authorization.py b/repoze/bfg/authorization.py
index 743e9cb64..c7e8b1c96 100644
--- a/repoze/bfg/authorization.py
+++ b/repoze/bfg/authorization.py
@@ -57,6 +57,8 @@ class ACLAuthorizationPolicy(object):
     def permits(self, context, principals, permission):
         """ Return ``ACLAllowed`` if the policy permits access,
         ``ACLDenied`` if not. """
+
+        acl = '<No ACL found on any object in model lineage>'
         
         for location in lineage(context):
             try:
@@ -77,8 +79,14 @@ class ACLAuthorizationPolicy(object):
                             return ACLDenied(ace, acl, permission,
                                              principals, location)
 
-        # default deny if no ACL in lineage at all
-        return ACLDenied(None, None, permission, principals, context)
+        # default deny (if no ACL in lineage at all, or if none of the
+        # principals were mentioned in any ACE we found)
+        return ACLDenied(
+            '<default deny>',
+            acl,
+            permission,
+            principals,
+            context)
 
     def principals_allowed_by_permission(self, context, permission):
         """ Return the set of principals explicitly granted the
diff --git a/repoze/bfg/tests/test_authorization.py b/repoze/bfg/tests/test_authorization.py
index 8aa9b9abf..6b8c8293a 100644
--- a/repoze/bfg/tests/test_authorization.py
+++ b/repoze/bfg/tests/test_authorization.py
@@ -61,12 +61,14 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, blog)
         self.assertEqual(result.ace, (Allow, 'wilma', VIEW))
+        self.assertEqual(result.acl, blog.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'wilma'],
                                 'delete')
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view')
         self.assertEqual(result, True)
@@ -77,6 +79,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'barney'],
                                 'view')
@@ -88,6 +91,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
         
         result = policy.permits(root, [Everyone, Authenticated, 'someguy'],
                                 'view')
@@ -99,15 +103,21 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(root, [Everyone], 'view')
         self.assertEqual(result, False)
         self.assertEqual(result.context, root)
-        self.assertEqual(result.ace, None)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(result.acl, root.__acl__)
 
         context = DummyContext()
         result = policy.permits(context, [Everyone], 'view')
         self.assertEqual(result, False)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(
+            result.acl,
+            '<No ACL found on any object in model lineage>')
 
     def test_principals_allowed_by_permission_direct(self):
         from repoze.bfg.security import Allow