From e0162efd4bc5320591854c137d1403083e4a8618 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@agendaless.com>
Date: Thu, 19 Nov 2009 15:05:32 +0000
Subject: - The ACL authorization policy debugging output when  
 ``debug_authorization`` consule debugging output was turned on   wasn't as
 clear as it could have been when a view execution was   denied due to an
 authorization failure resulting from the set of   principals passed never
 having matched any ACE in any ACL in the   lineage.  Now in this case, we
 report ``<default deny>`` as the ACE   value and either the root ACL or ``<No
 ACL found on any object in   model lineage>`` if no ACL was found.

---
 CHANGES.txt                            | 12 ++++++++++++
 repoze/bfg/authorization.py            | 12 ++++++++++--
 repoze/bfg/tests/test_authorization.py | 12 +++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index 2de872afe..496a95ee8 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,18 @@
 Next release
 ============
 
+Bug Fixes
+----------
+
+- The ACL authorization policy debugging output when
+  ``debug_authorization`` consule debugging output was turned on
+  wasn't as clear as it could have been when a view execution was
+  denied due to an authorization failure resulting from the set of
+  principals passed never having matched any ACE in any ACL in the
+  lineage.  Now in this case, we report ``<default deny>`` as the ACE
+  value and either the root ACL or ``<No ACL found on any object in
+  model lineage>`` if no ACL was found.
+
 Internals
 ---------
 
diff --git a/repoze/bfg/authorization.py b/repoze/bfg/authorization.py
index 743e9cb64..c7e8b1c96 100644
--- a/repoze/bfg/authorization.py
+++ b/repoze/bfg/authorization.py
@@ -57,6 +57,8 @@ class ACLAuthorizationPolicy(object):
     def permits(self, context, principals, permission):
         """ Return ``ACLAllowed`` if the policy permits access,
         ``ACLDenied`` if not. """
+
+        acl = '<No ACL found on any object in model lineage>'
         
         for location in lineage(context):
             try:
@@ -77,8 +79,14 @@ class ACLAuthorizationPolicy(object):
                             return ACLDenied(ace, acl, permission,
                                              principals, location)
 
-        # default deny if no ACL in lineage at all
-        return ACLDenied(None, None, permission, principals, context)
+        # default deny (if no ACL in lineage at all, or if none of the
+        # principals were mentioned in any ACE we found)
+        return ACLDenied(
+            '<default deny>',
+            acl,
+            permission,
+            principals,
+            context)
 
     def principals_allowed_by_permission(self, context, permission):
         """ Return the set of principals explicitly granted the
diff --git a/repoze/bfg/tests/test_authorization.py b/repoze/bfg/tests/test_authorization.py
index 8aa9b9abf..6b8c8293a 100644
--- a/repoze/bfg/tests/test_authorization.py
+++ b/repoze/bfg/tests/test_authorization.py
@@ -61,12 +61,14 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, blog)
         self.assertEqual(result.ace, (Allow, 'wilma', VIEW))
+        self.assertEqual(result.acl, blog.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'wilma'],
                                 'delete')
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'fred'], 'view')
         self.assertEqual(result, True)
@@ -77,6 +79,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, True)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(blog, [Everyone, Authenticated, 'barney'],
                                 'view')
@@ -88,6 +91,7 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
         
         result = policy.permits(root, [Everyone, Authenticated, 'someguy'],
                                 'view')
@@ -99,15 +103,21 @@ class TestACLAuthorizationPolicy(unittest.TestCase):
         self.assertEqual(result, False)
         self.assertEqual(result.context, community)
         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
+        self.assertEqual(result.acl, community.__acl__)
 
         result = policy.permits(root, [Everyone], 'view')
         self.assertEqual(result, False)
         self.assertEqual(result.context, root)
-        self.assertEqual(result.ace, None)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(result.acl, root.__acl__)
 
         context = DummyContext()
         result = policy.permits(context, [Everyone], 'view')
         self.assertEqual(result, False)
+        self.assertEqual(result.ace, '<default deny>')
+        self.assertEqual(
+            result.acl,
+            '<No ACL found on any object in model lineage>')
 
     def test_principals_allowed_by_permission_direct(self):
         from repoze.bfg.security import Allow
-- 
cgit v1.2.3