From 2d931400b22f4c5764df68c2799be512e60a2de1 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Mon, 18 Mar 2013 21:00:50 -0700
Subject: support acl as a callable

---
 CHANGES.txt              | 13 +++++++++++++
 docs/narr/security.rst   | 21 +++++++++++++++++++++
 pyramid/authorization.py |  3 +++
 3 files changed, 37 insertions(+)

diff --git a/CHANGES.txt b/CHANGES.txt
index 85dd3be2a..ae2cafba4 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,16 @@
+next release
+============
+
+Features
+--------
+
+- ``ACLAuthorizationPolicy`` supports ``__acl__`` as a callable. This
+  removes the ambiguity between the potential ``AttributeError`` that would
+  be raised on the ``context`` when the property was not defined and the
+  ``AttributeError`` that could be raised from any user-defined code within
+  a dynamic property. It is recommended to define a dynamic ACL as a callable
+  to avoid this ambiguity. See https://github.com/Pylons/pyramid/issues/735.
+
 1.4 (2012-12-18)
 ================
 
diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 5b79edd19..36c888559 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -270,6 +270,27 @@ resource instances with an ACL (as opposed to just decorating their class) in
 applications such as "CMS" systems where fine-grained access is required on
 an object-by-object basis.
 
+Dynamic ACLs are also possible by turning the ACL into a callable on the
+resource. This may allow the ACL to dynamically generate rules based on
+properties of the instance.
+
+.. code-block:: python
+   :linenos:
+
+   from pyramid.security import Allow
+   from pyramid.security import Everyone
+
+   class Blog(object):
+       def __acl__(self):
+           return [
+               (Allow, Everyone, 'view'),
+               (Allow, self.owner, 'edit'),
+               (Allow, 'group:editors', 'edit'),
+           ]
+
+       def __init__(self, owner):
+           self.owner = owner
+
 .. index::
    single: ACE
    single: access control entry
diff --git a/pyramid/authorization.py b/pyramid/authorization.py
index 943f8bd00..1fd05e244 100644
--- a/pyramid/authorization.py
+++ b/pyramid/authorization.py
@@ -80,6 +80,9 @@ class ACLAuthorizationPolicy(object):
             except AttributeError:
                 continue
 
+            if acl and callable(acl):
+                acl = acl()
+
             for ace in acl:
                 ace_action, ace_principal, ace_permissions = ace
                 if ace_principal in principals:
-- 
cgit v1.2.3