6 files changed, 58 insertions, 47 deletions

diff --git a/src/pyramid/authentication.py b/src/pyramid/authentication.py
index de06fe955..500a84646 100644
--- a/src/pyramid/authentication.py
+++ b/src/pyramid/authentication.py
@@ -1110,7 +1110,7 @@ class SessionAuthenticationPolicy(CallbackAuthenticationPolicy):
         return self.helper.forget(request)
 
     def unauthenticated_userid(self, request):
-        return self.helper.identify(request)
+        return self.helper.authenticated_userid(request)
 
 
 class SessionAuthenticationHelper:
@@ -1134,13 +1134,13 @@ class SessionAuthenticationHelper:
         request.session[self.userid_key] = userid
         return []
 
-    def forget(self, request):
+    def forget(self, request, **kw):
         """ Remove the stored userid from the session."""
         if self.userid_key in request.session:
             del request.session[self.userid_key]
         return []
 
-    def identify(self, request):
+    def authenticated_userid(self, request):
         """ Return the stored userid."""
         return request.session.get(self.userid_key)
 
diff --git a/src/pyramid/config/testing.py b/src/pyramid/config/testing.py
index 21c622656..83a8db552 100644
--- a/src/pyramid/config/testing.py
+++ b/src/pyramid/config/testing.py
@@ -13,6 +13,7 @@ class TestingConfiguratorMixin(object):
     # testing API
     def testing_securitypolicy(
         self,
+        userid=None,
         identity=None,
         permissive=True,
         remember_result=None,
@@ -39,6 +40,7 @@ class TestingConfiguratorMixin(object):
         not provided (or it is provided, and is ``None``), the default value
         ``[]`` (the empty list) will be returned by ``forget``.
 
+        XXX rewrite
         The behavior of the registered :term:`authentication policy`
         depends on the values provided for the ``userid`` and
         ``groupids`` argument.  The authentication policy will return
@@ -51,7 +53,6 @@ class TestingConfiguratorMixin(object):
         This function is most useful when testing code that uses
         the APIs named :meth:`pyramid.request.Request.has_permission`,
         :attr:`pyramid.request.Request.authenticated_userid`,
-        :attr:`pyramid.request.Request.effective_principals`, and
         :func:`pyramid.security.principals_allowed_by_permission`.
 
         .. versionadded:: 1.4
@@ -59,11 +60,14 @@ class TestingConfiguratorMixin(object):
 
         .. versionadded:: 1.4
            The ``forget_result`` argument.
+
+        .. versionchanged:: 2.0
+           Removed ``groupids`` argument and doc about effective principals.
         """
         from pyramid.testing import DummySecurityPolicy
 
         policy = DummySecurityPolicy(
-            identity, permissive, remember_result, forget_result
+            userid, identity, permissive, remember_result, forget_result
         )
         self.registry.registerUtility(policy, ISecurityPolicy)
         return policy
diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py
index 688293509..11b794e2b 100644
--- a/src/pyramid/interfaces.py
+++ b/src/pyramid/interfaces.py
@@ -484,18 +484,21 @@ class IViewMapperFactory(Interface):
 
 class ISecurityPolicy(Interface):
     def identify(request):
-        """ Return an object identifying a trusted and verified user.  This
-        object may be anything, but should implement a ``__str__`` method that
-        outputs a corresponding :term:`userid`.
+        """ Return an object identifying a trusted and verified user.
 
+        The object may be anything.
         """
 
-    def permits(request, context, identity, permission):
+    def authenticated_userid(request, identity):
+        """ Return a :term:`userid` string identifying the trusted and
+        verified user, or ``None`` if unauthenticated.
+        """
+
+    def permits(request, context, permission):
         """ Return an instance of :class:`pyramid.security.Allowed` if a user
         of the given identity is allowed the ``permission`` in the current
         ``context``, else return an instance of
         :class:`pyramid.security.Denied`.
-
         """
 
     def remember(request, userid, **kw):
@@ -503,13 +506,11 @@ class ISecurityPolicy(Interface):
         :term:`userid` named ``userid`` when set in a response.  An
         individual authentication policy and its consumers can
         decide on the composition and meaning of ``**kw``.
-
         """
 
-    def forget(request):
+    def forget(request, **kw):
         """ Return a set of headers suitable for 'forgetting' the
         current user on subsequent requests.
-
         """
 
 
diff --git a/src/pyramid/security.py b/src/pyramid/security.py
index 08c36b457..053ff5818 100644
--- a/src/pyramid/security.py
+++ b/src/pyramid/security.py
@@ -82,7 +82,7 @@ def remember(request, userid, **kw):
     return policy.remember(request, userid, **kw)
 
 
-def forget(request):
+def forget(request, **kw):
     """
     Return a sequence of header tuples (e.g. ``[('Set-Cookie',
     'foo=abc')]``) suitable for 'forgetting' the set of credentials
@@ -104,7 +104,7 @@ def forget(request):
     policy = _get_security_policy(request)
     if policy is None:
         return []
-    return policy.forget(request)
+    return policy.forget(request, **kw)
 
 
 def principals_allowed_by_permission(context, permission):
@@ -293,7 +293,9 @@ class ACLAllowed(ACLPermitsResult, Allowed):
     """
 
 
-class SecurityAPIMixin(object):
+class SecurityAPIMixin:
+    """ Mixin for Request class providing auth-related properties. """
+
     @property
     def authenticated_identity(self):
         """
@@ -315,18 +317,14 @@ class SecurityAPIMixin(object):
 
         .. versionchanged:: 2.0
 
-            When using the new security system, this property outputs the
-            string representation of the :term:`identity`.
+           This property delegates to the effective :term:`security policy`,
+           ignoring old-style :term:`authentication policy`.
 
         """
-        authn = _get_authentication_policy(self)
-        security = _get_security_policy(self)
-        if authn is not None:
-            return authn.authenticated_userid(self)
-        elif security is not None:
-            return str(security.identify(self))
-        else:
+        policy = _get_security_policy(self)
+        if policy is None:
             return None
+        return policy.authenticated_userid(self)
 
     def has_permission(self, permission, context=None):
         """ Given a permission and an optional context, returns an instance of
@@ -353,11 +351,12 @@ class SecurityAPIMixin(object):
         policy = _get_security_policy(self)
         if policy is None:
             return Allowed('No security policy in use.')
-        identity = policy.identify(self)
-        return policy.permits(self, context, identity, permission)
+        return policy.permits(self, context, permission)
 
 
 class AuthenticationAPIMixin(object):
+    """ Mixin for Request class providing compatibility properties. """
+
     @property
     def unauthenticated_userid(self):
         """
@@ -365,8 +364,8 @@ class AuthenticationAPIMixin(object):
 
             ``unauthenticated_userid`` does not have an equivalent in the new
             security system.  Use :attr:`.authenticated_userid` or
-            :attr:`.identity` instead.  See :ref:`upgrading_auth` for more
-            information.
+            :attr:`.authenticated_identity` instead.
+            See :ref:`upgrading_auth` for more information.
 
         Return an object which represents the *claimed* (not verified) user
         id of the credentials present in the request. ``None`` if there is no
@@ -377,14 +376,18 @@ class AuthenticationAPIMixin(object):
         associated with the userid exists in persistent storage.
 
         """
-        authn = _get_authentication_policy(self)
-        security = _get_security_policy(self)
-        if authn is not None:
-            return authn.unauthenticated_userid(self)
-        elif security is not None:
-            return str(security.identify(self))
-        else:
+        policy = _get_security_policy(self)
+        if policy is None:
             return None
+        return policy.authenticated_userid(self)
+
+    unauthenticated_userid = deprecated(
+        unauthenticated_userid,
+        'The new security policy has removed the concept of unauthenticated '
+        'userid.  See https://docs.pylonsproject.org/projects/pyramid/en/latest'
+        '/whatsnew-2.0.html#upgrading-authentication-authorization '
+        'for more information.',
+    )
 
     @property
     def effective_principals(self):
@@ -428,7 +431,7 @@ class LegacySecurityPolicy:
     def _get_authz_policy(self, request):
         return request.registry.getUtility(IAuthorizationPolicy)
 
-    def identify(self, request):
+    def authenticated_userid(self, request):
         authn = self._get_authn_policy(request)
         return authn.authenticated_userid(request)
 
@@ -436,11 +439,12 @@ class LegacySecurityPolicy:
         authn = self._get_authn_policy(request)
         return authn.remember(request, userid, **kw)
 
-    def forget(self, request):
+    def forget(self, request, **kw):
         authn = self._get_authn_policy(request)
+        # XXX log warning if varkwargs were passed?
         return authn.forget(request)
 
-    def permits(self, request, context, identity, permission):
+    def permits(self, request, context, permission):
         authn = self._get_authn_policy(request)
         authz = self._get_authz_policy(request)
         principals = authn.effective_principals(request)
diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py
index 3bf3f1898..316e0bd15 100644
--- a/src/pyramid/testing.py
+++ b/src/pyramid/testing.py
@@ -42,11 +42,13 @@ class DummySecurityPolicy(object):
 
     def __init__(
         self,
+        userid=None,
         identity=None,
         permissive=True,
         remember_result=None,
         forget_result=None,
     ):
+        self.userid = None
         self.identity = identity
         self.permissive = permissive
         if remember_result is None:
@@ -59,14 +61,17 @@ class DummySecurityPolicy(object):
     def identify(self, request):
         return self.identity
 
-    def permits(self, request, context, identity, permission):
+    def authenticated_userid(self, request):
+        return self.userid
+
+    def permits(self, request, context, permission):
         return self.permissive
 
     def remember(self, request, userid, **kw):
         self.remembered = userid
         return self.remember_result
 
-    def forget(self, request):
+    def forget(self, request, **kw):
         self.forgotten = True
         return self.forget_result
 
diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py
index 35f9a08d2..7c28cbf85 100644
--- a/src/pyramid/viewderivers.py
+++ b/src/pyramid/viewderivers.py
@@ -316,8 +316,7 @@ def _secured_view(view, info):
     if policy and (permission is not None):
 
         def permitted(context, request):
-            identity = policy.identify(request)
-            return policy.permits(request, context, identity, permission)
+            return policy.permits(request, context, permission)
 
         def secured_view(context, request):
             result = permitted(context, request)
@@ -363,10 +362,8 @@ def _authdebug_view(view, info):
                 elif permission is None:
                     msg = 'Allowed (no permission registered)'
                 else:
-                    identity = policy.identify(request)
-                    msg = str(
-                        policy.permits(request, context, identity, permission)
-                    )
+                    result = policy.permits(request, context, permission)
+                    msg = str(result)
             else:
                 msg = 'Allowed (no security policy in use)'