From 82e0452f9c71ddd71489cca74f6070dada94e5dd Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Sat, 15 Jan 2011 21:54:58 -0700 Subject: our => the --- docs/narr/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/narr/security.rst') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 62a4727bc..43b5aaa19 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -12,7 +12,7 @@ credentials in the :term:`request` does not have an appropriate level of access when a particular resource is the :term:`context`. Here's how it works at a high level: -- A :term:`request` is generated when a user visits our application. +- A :term:`request` is generated when a user visits the application. - Based on the request, a :term:`context` resource is located through :term:`resource location`. A context is located differently depending on -- cgit v1.2.3 From 93d5dbd2bc8890a771425a8cd7f6dcd5aad66d58 Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Sat, 15 Jan 2011 22:07:07 -0700 Subject: reword security intro paragraph --- docs/narr/security.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'docs/narr/security.rst') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 43b5aaa19..814f232d7 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -6,11 +6,12 @@ Security ======== -:app:`Pyramid` provides an optional declarative authorization system that -prevents a :term:`view` from being invoked when the user represented by -credentials in the :term:`request` does not have an appropriate level of -access when a particular resource is the :term:`context`. Here's how it -works at a high level: +:app:`Pyramid` provides an optional declarative authorization system +that prevents a :term:`view` from being invoked based on an +:term:`authorization policy`. Before a view is invoked, the +authorization system can use the credentials in the :term:`request` +along with the :term:`context` resource to determine if access will be +allowed. Here's how it works at a high level: - A :term:`request` is generated when a user visits the application. -- cgit v1.2.3 From c90930a41c7ccac634d96536a4c65bce57f5fb8b Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Sat, 15 Jan 2011 22:08:21 -0700 Subject: slight clarification --- docs/narr/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/narr/security.rst') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 814f232d7..6ea48794c 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -7,7 +7,7 @@ Security ======== :app:`Pyramid` provides an optional declarative authorization system -that prevents a :term:`view` from being invoked based on an +that can prevent a :term:`view` from being invoked based on an :term:`authorization policy`. Before a view is invoked, the authorization system can use the credentials in the :term:`request` along with the :term:`context` resource to determine if access will be -- cgit v1.2.3 From 3dc9116f868c40aed42904b95b0ca703b2f73aa3 Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Sat, 15 Jan 2011 22:20:52 -0700 Subject: XXX explain the authentication/authorization separate in pyramid. Confirm this is correct XXX --- docs/narr/security.rst | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'docs/narr/security.rst') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 6ea48794c..f20c9f63e 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -41,6 +41,15 @@ allowed. Here's how it works at a high level: - If the authorization policy denies access, the view callable is not invoked; instead the :term:`forbidden view` is invoked. +Security in :app:`Pyramid`, unlike many systems, cleanly and explicitly +separates authentication and authorization. Authentication is merely the +mechanism by which credentials provided in the :term:`request` are +resolved to one or more :term:`principal` identifiers. These identifiers +represent the users and groups in effect during the request. +Authorization then determines access based on the :term:`principal` +identifiers, the :term:`view callable` being invoked, and the +:term:`context` resource. + Authorization is enabled by modifying your application to include an :term:`authentication policy` and :term:`authorization policy`. :app:`Pyramid` comes with a variety of implementations of these -- cgit v1.2.3 From cb0f3c4f0f06ba9e052d6c3ea248045965ebbc0c Mon Sep 17 00:00:00 2001 From: Casey Duncan Date: Sat, 15 Jan 2011 22:24:45 -0700 Subject: add missing word --- docs/narr/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/narr/security.rst') diff --git a/docs/narr/security.rst b/docs/narr/security.rst index f20c9f63e..babf66ecd 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -179,8 +179,8 @@ to invoke the ``blog_entry_add_view`` view. If he does not, the Setting a Default Permission ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If a permission is not supplied to a view configuration, the -registered view always be executable by entirely anonymous users: any +If a permission is not supplied to a view configuration, the registered +view will always be executable by entirely anonymous users: any authorization policy in effect is ignored. In support of making it easier to configure applications which are -- cgit v1.2.3