From 5f6f7184a997cb2dfa341eef53259d4254a242e8 Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Sun, 15 Dec 2019 20:27:10 -0800
Subject: Remove requirement that identity is validated.

---
 docs/narr/security.rst | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

(limited to 'docs/narr')

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index cdc16b6a1..60be067bf 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -69,17 +69,21 @@ A simple security policy might look like the following:
     from pyramid.security import Allowed, Denied
 
     class SessionSecurityPolicy:
+        def authenticated_userid(self, request):
+            """ Return a string ID for the user. """
+            userid = self.identify(request).id
+            if validate_userid(request, userid):
+                return userid
+            else:
+                return None
+
         def identify(self, request):
             """ Return app-specific user object. """
-            userid = request.session.get('userid')
+            userid = self.authenticated_userid
             if userid is None:
                 return None
             return load_identity_from_db(request, userid)
 
-        def authenticated_userid(self, request):
-            """ Return a string ID for the user. """
-            return self.identify(request).id
-
         def permits(self, request, context, permission):
             """ Allow access to everything if signed in. """
             identity = self.identify(request)
@@ -141,12 +145,18 @@ For example, our above security policy can leverage these helpers like so:
         def __init__(self):
             self.helper = SessionAuthenticationHelper()
 
-        def identify(self, request):
+        def authenticated_userid(self, request):
             userid = self.helper.authenticated_userid(request)
-            return load_identity_from_db(request, userid)
+            if validate_userid(request, userid):
+                return userid
+            else:
+                return None
 
-        def authenticated_userid(self, request):
-            return self.identify(request).id
+        def identify(self, request):
+            userid = self.authenticated_userid
+            if userid is None:
+                return None
+            return load_identity_from_db(request, userid)
 
         def permits(self, request, context, permission):
             """ Allow access to everything if signed in. """
-- 
cgit v1.2.3