diff options
Diffstat (limited to 'docs/api/authorization.rst')
| -rw-r--r-- | docs/api/authorization.rst | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/docs/api/authorization.rst b/docs/api/authorization.rst index c6b3d090e..fac47490a 100644 --- a/docs/api/authorization.rst +++ b/docs/api/authorization.rst @@ -10,3 +10,46 @@ .. autoclass:: ACLAuthorizationPolicy +Constants +--------- + +.. attribute:: Everyone + + The special principal id named 'Everyone'. This principal id is + granted to all requests. Its actual value is the string + 'system.Everyone'. + +.. attribute:: Authenticated + + The special principal id named 'Authenticated'. This principal id + is granted to all requests which contain any other non-Everyone + principal id (according to the :term:`authentication policy`). + Its actual value is the string 'system.Authenticated'. + +.. attribute:: ALL_PERMISSIONS + + An object that can be used as the ``permission`` member of an ACE + which matches all permissions unconditionally. For example, an + ACE that uses ``ALL_PERMISSIONS`` might be composed like so: + ``('Deny', 'system.Everyone', ALL_PERMISSIONS)``. + +.. attribute:: DENY_ALL + + A convenience shorthand ACE that defines ``('Deny', + 'system.Everyone', ALL_PERMISSIONS)``. This is often used as the + last ACE in an ACL in systems that use an "inheriting" security + policy, representing the concept "don't inherit any other ACEs". + +Return Values +------------- + +.. autoclass:: ACLDenied + :members: msg + + .. automethod:: __new__ + +.. autoclass:: ACLAllowed + :members: msg + + .. automethod:: __new__ + |