3 files changed, 22 insertions, 20 deletions

diff --git a/src/pyramid/authentication.py b/src/pyramid/authentication.py
index 8c6c0f981..95c01bbea 100644
--- a/src/pyramid/authentication.py
+++ b/src/pyramid/authentication.py
@@ -10,8 +10,8 @@ import warnings
 from webob.cookies import CookieProfile
 from zope.interface import implementer
 
-from pyramid.interfaces import IAuthenticationPolicy, IDebugLogger
 from pyramid.authorization import Authenticated, Everyone
+from pyramid.interfaces import IAuthenticationPolicy, IDebugLogger
 from pyramid.util import (
     SimpleSerializer,
     ascii_,
diff --git a/src/pyramid/authorization.py b/src/pyramid/authorization.py
index 87e6b8767..a0524a8cc 100644
--- a/src/pyramid/authorization.py
+++ b/src/pyramid/authorization.py
@@ -33,9 +33,6 @@ class AllPermissionsList(_AllPermissionsList):
     pass
 
 
-ALL_PERMISSIONS = AllPermissionsList()  # api
-DENY_ALL = (Deny, Everyone, ALL_PERMISSIONS)  # api
-
 # subclass to fix __qualname__
 class ACLAllowed(_ACLAllowed):
     pass
@@ -46,6 +43,10 @@ class ACLDenied(_ACLDenied):
     pass
 
 
+ALL_PERMISSIONS = AllPermissionsList()  # api
+DENY_ALL = (Deny, Everyone, ALL_PERMISSIONS)  # api
+
+
 @implementer(IAuthorizationPolicy)
 class ACLAuthorizationPolicy(object):
     """ An :term:`authorization policy` which consults an :term:`ACL`
@@ -160,17 +161,17 @@ class ACLHelper:
         of principals that are explicitly granted the ``permission`` in the
         provided ``context``.  We do this by walking 'up' the object graph
         *from the root* to the context.  During this walking process, if we
-        find an explicit :data:`pyramid.authorization.Allow` ACE for a principal
-        that matches the ``permission``, the principal is included in the allow
-        list.  However, if later in the walking process that principal is
-        mentioned in any :data:`pyramid.authorization.Deny` ACE for the
-        permission, the principal is removed from the allow list.  If a
-        :data:`pyramid.authorization.Deny` to the principal
-        :data:`pyramid.authorization.Everyone` is encountered during the walking
-        process that matches the ``permission``, the allow list is cleared for
-        all principals encountered in previous ACLs.  The walking process ends
-        after we've processed the any ACL directly attached to ``context``; a
-        set of principals is returned.
+        find an explicit :data:`pyramid.authorization.Allow` ACE for a
+        principal that matches the ``permission``, the principal is included in
+        the allow list.  However, if later in the walking process that
+        principal is mentioned in any :data:`pyramid.authorization.Deny` ACE
+        for the permission, the principal is removed from the allow list.  If
+        a :data:`pyramid.authorization.Deny` to the principal
+        :data:`pyramid.authorization.Everyone` is encountered during the
+        walking process that matches the ``permission``, the allow list is
+        cleared for all principals encountered in previous ACLs.  The walking
+        process ends after we've processed the any ACL directly attached to
+        ``context``; a set of principals is returned.
 
         """
         allowed = set()
diff --git a/src/pyramid/httpexceptions.py b/src/pyramid/httpexceptions.py
index 76e28424a..dcf61b9e5 100644
--- a/src/pyramid/httpexceptions.py
+++ b/src/pyramid/httpexceptions.py
@@ -755,11 +755,12 @@ class HTTPForbidden(HTTPClientError):
     argument, ``detail``, should be a string.  The value of this string will
     be used as the ``message`` attribute of the exception object.  The second
     special keyword argument, ``result`` is usually an instance of
-    :class:`pyramid.security.Denied` or :class:`pyramid.authorization.ACLDenied`
-    each of which indicates a reason for the forbidden error.  However,
-    ``result`` is also permitted to be just a plain boolean ``False`` object
-    or ``None``.  The ``result`` value will be used as the ``result``
-    attribute of the exception object.  It defaults to ``None``.
+    :class:`pyramid.security.Denied` or
+    :class:`pyramid.authorization.ACLDenied` each of which indicates a reason
+    for the forbidden error.  However, ``result`` is also permitted to be just
+    a plain boolean ``False`` object or ``None``.  The ``result`` value will
+    be used as the ``result`` attribute of the exception object.
+    It defaults to ``None``.
 
     The :term:`Forbidden View` can use the attributes of a Forbidden
     exception as necessary to provide extended information in an error