From ead3c7e169dbac62f97cbaffc15f3c40430b70ea Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Tue, 19 Jul 2011 08:26:05 -0400
Subject: - Fixed two typos in wiki2 (SQLA + URL Dispatch) tutorial.

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 76ce4b83f..df5e228fd 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -54,7 +54,7 @@ inside our ``models.py`` file.  Add the following statements to your
 ``models.py`` file:
 
 .. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 3-4,45-49
+   :lines: 3-4,45-50
    :linenos:
    :language: python
 
@@ -228,7 +228,7 @@ We'll then change the return value of these views to pass the `resulting
 .. code-block:: python
    :linenos:
 
-   return dict(page = context,
+   return dict(page = page,
                content = content,
                logged_in = logged_in,
                edit_url = edit_url)
-- 
cgit v1.2.3


From 5edd54f05b05330fa6e899a1bb1650cc7a2df33c Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sun, 27 Nov 2011 04:08:20 -0500
Subject: - The SQLAlchemy Wiki tutorial has been updated.  It now uses  
 ``@view_config`` decorators and an explicit database population script.

Closes #359.
---
 docs/tutorials/wiki2/authorization.rst | 153 +++++++++++++++++----------------
 1 file changed, 78 insertions(+), 75 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index df5e228fd..ab04ea405 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -4,27 +4,22 @@
 Adding Authorization
 ====================
 
-Our application currently allows anyone with access to the server to
-view, edit, and add pages to our wiki.  For purposes of demonstration
-we'll change our application to allow only people whom possess a
-specific username (`editor`) to add and edit wiki pages but we'll
-continue allowing anyone with access to the server to view pages.
-:app:`Pyramid` provides facilities for :term:`authorization` and
-:term:`authentication`.  We'll make use of both features to provide security
-to our application.
-
-We will add an :term:`authentication policy` and an
-:term:`authorization policy` to our :term:`application
-registry`, add a ``security.py`` module, create a :term:`root factory`
-with an :term:`ACL`, and add :term:`permission` declarations to
-the ``edit_page`` and ``add_page`` views.
-
-Then we will add ``login`` and ``logout`` views, and modify the
-existing views to make them return a ``logged_in`` flag to the
-renderer.
-
-Finally, we will add a ``login.pt`` template and change the existing
-``view.pt`` and ``edit.pt`` to show a "Logout" link when not logged in.
+:app:`Pyramid` provides facilities for :term:`authentication` and
+:term:`authorization`.  We'll make use of both features to provide security
+to our application.  Our application currently allows anyone with access to
+the server to view, edit, and add pages to our wiki.  We'll change our
+application to allow only people whom possess a specific username (`editor`)
+to add and edit wiki pages but we'll continue allowing anyone with access to
+the server to view pages.
+
+To do so, we'll add an :term:`authentication policy` and an
+:term:`authorization policy`.  We'll also add a ``security.py`` module,
+create a :term:`root factory` with an :term:`ACL`, and add :term:`permission`
+declarations to the ``edit_page`` and ``add_page`` views.  Then we'll add
+``login`` and ``logout`` views, and modify the existing views to make them
+return a ``logged_in`` flag to the renderer.  Finally, we will add a
+``login.pt`` template and change the existing ``view.pt`` and ``edit.pt`` to
+show a "Logout" link when not logged in.
 
 The source code for this tutorial stage can be browsed at
 `http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/
@@ -54,7 +49,7 @@ inside our ``models.py`` file.  Add the following statements to your
 ``models.py`` file:
 
 .. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 3-4,45-50
+   :lines: 1-4,35-39
    :linenos:
    :language: python
 
@@ -92,14 +87,14 @@ We'll change our ``__init__.py`` file to enable an
 declarative security checking. We need to import the new policies:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 2-3,8
+   :lines: 2-3,7
    :linenos:
    :language: python
 
 Then, we'll add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 15-21
+   :lines: 16-22
    :linenos:
    :language: python
 
@@ -111,49 +106,12 @@ represented by this policy: it is required.  The ``callback`` is a
 ``groupfinder`` function in the current directory's ``security.py`` file.  We
 haven't added that module yet, but we're about to.
 
-We'll also change ``__init__.py``, adding a call to
-:meth:`pyramid.config.Configurator.add_view` that points at our ``login``
-:term:`view callable`.  This is also known as a :term:`forbidden view`:
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 25,41-43
-   :linenos:
-   :language: python
-
-A forbidden view configures our newly created login view to show up when
-:app:`Pyramid` detects that a view invocation can not be authorized.
-
-A ``logout`` :term:`view callable` will allow users to log out later:
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 26,34
-   :linenos:
-   :language: python
-
-We'll also add ``permission`` arguments with the value ``edit`` to the
-``edit_page`` and ``add_page`` views.  This indicates that the view
-callables which these views reference cannot be invoked without the
-authenticated user possessing the ``edit`` permission with respect to the
-current context.
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 37-40
-   :linenos:
-   :language: python
-
-Adding these ``permission`` arguments causes Pyramid to make the
-assertion that only users who possess the effective ``edit`` permission at
-the time of the request may invoke those two views.  We've granted the
-``group:editors`` principal the ``edit`` permission at the root model via its
-ACL, so only the a user whom is a member of the group named ``group:editors``
-will able to invoke the views associated with the ``add_page`` or
-``edit_page`` routes.
-
 Viewing Your Changes
 ~~~~~~~~~~~~~~~~~~~~
 
-When we're done configuring a root factory, adding an authorization policy,
-and adding views, your application's ``__init__.py`` will look like this:
+When we're done configuring a root factory, adding a authentication and
+authorization policies, and adding routes for ``/login`` and ``/logout``,
+your application's ``__init__.py`` will look like this:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
@@ -191,30 +149,54 @@ views, the ``editor`` user should be able to add and edit pages.
 Adding Login and Logout Views
 -----------------------------
 
-We'll add a ``login`` view callable which renders a login form and
-processes the post from the login form, checking credentials.
+To our ``views.py`` we'll add a ``login`` view callable which renders a login
+form and processes the post from the login form, checking credentials.
 
 We'll also add a ``logout`` view callable to our application and
 provide a link to it.  This view will clear the credentials of the
 logged in user and redirect back to the front page.
 
-We'll add a different file (for presentation convenience) to add login
-and the logout view callables.  Add a file named ``login.py`` to your
-application (in the same directory as ``views.py``) with the following
-content:
+The ``login`` view callable will look something like this:
 
-.. literalinclude:: src/authorization/tutorial/login.py
+.. literalinclude:: src/authorization/tutorial/views.py
+   :pyobject: login
    :linenos:
    :language: python
 
+The ``logout`` view callable will look something like this:
+
+.. literalinclude:: src/authorization/tutorial/views.py
+   :pyobject: logout
+   :linenos:
+   :language: python
+
+The ``login`` view callable is decorated with two ``@view_config``
+decorators, one which associates it with the ``login`` route, the other which
+associates it with the ``HTTPForbidden`` context.  The one which associates
+it with the ``login`` route makes it visible when we visit ``/login``.  The
+one which associates it with the ``HTTPForbidden`` context makes it the
+:term:`forbidden view`.  The forbidden view is displayed whenever Pyramid or
+your application raises an HTTPForbidden exception.  In this case, we'll be
+relying on the forbidden view to show the login form whenver someone attempts
+to execute an action which they're not yet authorized to perform.
+
+The ``logout`` view callable is decorated with a ``@view_config`` decorator
+which associates it with the ``logout`` route.  This makes it visible when we
+visit ``/login``.
+
+We'll need to import some stuff to service the needs of these two functions:
+the ``HTTPForbidden`` exception, a number of values from the
+``pyramid.security`` module, and a value from our newly added
+``tutorial.security`` package.
+
 Changing Existing Views
 -----------------------
 
 Then we need to change each of our ``view_page``, ``edit_page`` and
-``add_page`` views in ``views.py`` to pass a "logged in" parameter to its
-template.  We'll add something like this to each view body:
+``add_page`` view callables in ``views.py``.  Within each of these views,
+we'll need to pass a "logged in" parameter to its template.  We'll add
+something like this to each view body:
 
-.. ignore-next-block
 .. code-block:: python
    :linenos:
 
@@ -224,7 +206,6 @@ template.  We'll add something like this to each view body:
 We'll then change the return value of these views to pass the `resulting
 `logged_in`` value to the template, e.g.:
 
-.. ignore-next-block
 .. code-block:: python
    :linenos:
 
@@ -233,6 +214,28 @@ We'll then change the return value of these views to pass the `resulting
                logged_in = logged_in,
                edit_url = edit_url)
 
+We'll also need to add a ``permission`` value to the ``@view_config``
+decorator for each of the ``add_page`` and ``edit_page`` view callables.  For
+each, we'll add ``permission='edit'``, for example:
+
+.. code-block:: python
+   :linenos:
+
+   @view_config(route_name='edit_page', renderer='templates/edit.pt',
+                permission='edit')
+
+See the ``permission='edit'`` we added there?  This indicates that the view
+callables which these views reference cannot be invoked without the
+authenticated user possessing the ``edit`` permission with respect to the
+current :term:`context`.
+
+Adding these ``permission`` arguments causes Pyramid to make the assertion
+that only users who possess the effective ``edit`` permission at the time of
+the request may invoke those two views.  We've granted the ``group:editors``
+principal the ``edit`` permission at the root model via its ACL, so only the
+a user whom is a member of the group named ``group:editors`` will able to
+invoke the views associated with the ``add_page`` or ``edit_page`` routes.
+
 Adding the ``login.pt`` Template
 --------------------------------
 
-- 
cgit v1.2.3


From d1ad7044480901123b9c744b686b579491c36683 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sun, 29 Jan 2012 13:32:45 -0500
Subject: show decorators along with view callables, fixes #393

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index ab04ea405..56237a1b9 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -159,14 +159,14 @@ logged in user and redirect back to the front page.
 The ``login`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :pyobject: login
+   :lines: 90-116
    :linenos:
    :language: python
 
 The ``logout`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :pyobject: logout
+   :lines: 118-122
    :linenos:
    :language: python
 
-- 
cgit v1.2.3


From c6a299ad7159ffcabe201fa79f485c388d837971 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Tue, 14 Feb 2012 05:57:06 -0500
Subject: - Don't create a ``session`` instance in SQLA Wiki tutorial, use raw 
  ``DBSession`` instead (this is more common in real SQLA apps).

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 56237a1b9..b1d0bf37c 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -159,14 +159,14 @@ logged in user and redirect back to the front page.
 The ``login`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 90-116
+   :lines: 87-113
    :linenos:
    :language: python
 
 The ``logout`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 118-122
+   :lines: 115-119
    :linenos:
    :language: python
 
-- 
cgit v1.2.3


From a7fe30f0eabd6c6fd3bcc910faa41720a75056de Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Wed, 22 Feb 2012 19:24:09 -0500
Subject: - New API: ``pyramid.config.Configurator.add_forbidden_view``.  This
 is a   wrapper for ``pyramid.Config.configurator.add_view`` which does the
 right   thing about permissions.  It should be preferred over calling
 ``add_view``   directly with ``context=HTTPForbidden`` as was previously
 recommended.

- New API: ``pyramid.view.forbidden_view_config``.  This is a decorator
  constructor like ``pyramid.view.view_config`` that calls
  ``pyramid.config.Configurator.add_forbidden_view`` when scanned.  It should
  be preferred over using ``pyramid.view.view_config`` with
  ``context=HTTPForbidden`` as was previously recommended.

- Updated the "Creating a Not Forbidden View" section of the "Hooks" chapter,
  replacing explanations of registering a view using ``add_view`` or
  ``view_config`` with ones using ``add_forbidden_view`` or
  ``forbidden_view_config``.

- Updated all tutorials to use ``pyramid.view.forbidden_view_config`` rather
  than ``pyramid.view.view_config`` with an HTTPForbidden context.
---
 docs/tutorials/wiki2/authorization.rst | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index b1d0bf37c..900bf0975 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -159,33 +159,35 @@ logged in user and redirect back to the front page.
 The ``login`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 87-113
+   :lines: 89-115
    :linenos:
    :language: python
 
 The ``logout`` view callable will look something like this:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 115-119
+   :lines: 117-121
    :linenos:
    :language: python
 
-The ``login`` view callable is decorated with two ``@view_config``
-decorators, one which associates it with the ``login`` route, the other which
-associates it with the ``HTTPForbidden`` context.  The one which associates
-it with the ``login`` route makes it visible when we visit ``/login``.  The
-one which associates it with the ``HTTPForbidden`` context makes it the
-:term:`forbidden view`.  The forbidden view is displayed whenever Pyramid or
-your application raises an HTTPForbidden exception.  In this case, we'll be
-relying on the forbidden view to show the login form whenver someone attempts
-to execute an action which they're not yet authorized to perform.
+The ``login`` view callable is decorated with two decorators, a
+``@view_config`` decorators, which associates it with the ``login`` route,
+the other a ``@forbidden_view_config`` decorator which turns it in to an
+:term:`exception view` when Pyramid raises a
+:class:`pyramid.httpexceptions.HTTPForbidden` exception.  The one which
+associates it with the ``login`` route makes it visible when we visit
+``/login``.  The other one makes it a :term:`forbidden view`.  The forbidden
+view is displayed whenever Pyramid or your application raises an
+HTTPForbidden exception.  In this case, we'll be relying on the forbidden
+view to show the login form whenver someone attempts to execute an action
+which they're not yet authorized to perform.
 
 The ``logout`` view callable is decorated with a ``@view_config`` decorator
 which associates it with the ``logout`` route.  This makes it visible when we
 visit ``/login``.
 
 We'll need to import some stuff to service the needs of these two functions:
-the ``HTTPForbidden`` exception, a number of values from the
+the ``pyramid.view.forbidden_view_config`` class, a number of values from the
 ``pyramid.security`` module, and a value from our newly added
 ``tutorial.security`` package.
 
-- 
cgit v1.2.3


From 533c89ebe807f02f5eae3240e770864b21f78168 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Mon, 12 Mar 2012 17:57:13 -0700
Subject: Clarify two steps in the SQL wiki tutorial

- Highlight the added or changed lines
---
 docs/tutorials/wiki2/authorization.rst | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 900bf0975..5c60640b7 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -189,7 +189,13 @@ visit ``/login``.
 We'll need to import some stuff to service the needs of these two functions:
 the ``pyramid.view.forbidden_view_config`` class, a number of values from the
 ``pyramid.security`` module, and a value from our newly added
-``tutorial.security`` package.
+``tutorial.security`` package.  Add the following import statements to the
+head of the ``views.py`` file:
+
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 9-18,24-25
+   :linenos:
+   :language: python
 
 Changing Existing Views
 -----------------------
-- 
cgit v1.2.3


From 3324e5534289b530a571698519dfe20738cc5610 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Tue, 13 Mar 2012 12:41:50 -0700
Subject: Improved the Authorization chapter

- Added a summary of the steps
- Fixed a couple of typos
---
 docs/tutorials/wiki2/authorization.rst | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 5c60640b7..fb80c3536 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -12,14 +12,19 @@ application to allow only people whom possess a specific username (`editor`)
 to add and edit wiki pages but we'll continue allowing anyone with access to
 the server to view pages.
 
-To do so, we'll add an :term:`authentication policy` and an
-:term:`authorization policy`.  We'll also add a ``security.py`` module,
-create a :term:`root factory` with an :term:`ACL`, and add :term:`permission`
-declarations to the ``edit_page`` and ``add_page`` views.  Then we'll add
-``login`` and ``logout`` views, and modify the existing views to make them
-return a ``logged_in`` flag to the renderer.  Finally, we will add a
-``login.pt`` template and change the existing ``view.pt`` and ``edit.pt`` to
-show a "Logout" link when not logged in.
+We will do the following steps:
+
+* Add a :term:`root factory` with an :term:`ACL` (``models.py``).
+* Add an :term:`authentication policy` and an :term:`authorization policy`
+  (``__init__.py``).
+* Add an authentication policy callback (new ``security.py`` module).
+* Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
+  views (``views.py``).
+* Add ``login`` and ``logout`` views (``views.py``).
+* Make the existing views return a ``logged_in`` flag to the renderer (``views.py``).
+* Add a login template (new ``login.pt``).
+* Add a "Logout" link to be shown when logged in and viewing or editing a page
+  (``view.pt``, ``edit.pt``).
 
 The source code for this tutorial stage can be browsed at
 `http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/
@@ -98,7 +103,7 @@ Then, we'll add those policies to the configuration:
    :linenos:
    :language: python
 
-Note that that the
+Note that the
 :class:`pyramid.authentication.AuthTktAuthenticationPolicy` constructor
 accepts two arguments: ``secret`` and ``callback``.  ``secret`` is a string
 representing an encryption key used by the "authentication ticket" machinery
@@ -248,7 +253,7 @@ Adding the ``login.pt`` Template
 --------------------------------
 
 Add a ``login.pt`` template to your templates directory.  It's
-referred to within the login view we just added to ``login.py``.
+referred to within the login view we just added to ``views.py``.
 
 .. literalinclude:: src/authorization/tutorial/templates/login.pt
    :language: xml
-- 
cgit v1.2.3


From cd475e28d716ad4621b832cf1dc888cfcc4bedce Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Tue, 13 Mar 2012 14:17:23 -0700
Subject: Sync section titles with the summary

---
 docs/tutorials/wiki2/authorization.rst | 69 ++++++++++++++++++----------------
 1 file changed, 37 insertions(+), 32 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index fb80c3536..aadd5097f 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -18,9 +18,9 @@ We will do the following steps:
 * Add an :term:`authentication policy` and an :term:`authorization policy`
   (``__init__.py``).
 * Add an authentication policy callback (new ``security.py`` module).
+* Add ``login`` and ``logout`` views (``views.py``).
 * Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
   views (``views.py``).
-* Add ``login`` and ``logout`` views (``views.py``).
 * Make the existing views return a ``logged_in`` flag to the renderer (``views.py``).
 * Add a login template (new ``login.pt``).
 * Add a "Logout" link to be shown when logged in and viewing or editing a page
@@ -30,15 +30,16 @@ The source code for this tutorial stage can be browsed at
 `http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/
 <http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/>`_.
 
-Changing ``__init__.py`` For Authorization
--------------------------------------------
-
-We're going to be making several changes to our ``__init__.py`` file which
-will help us configure an authorization policy.
-
 Adding A Root Factory
 ~~~~~~~~~~~~~~~~~~~~~
 
+Open ``models.py`` and add the following statements:
+
+.. literalinclude:: src/authorization/tutorial/models.py
+   :lines: 1-4,35-39
+   :linenos:
+   :language: python
+
 We're going to start to use a custom :term:`root factory` within our
 ``__init__.py`` file.  The objects generated by the root factory will be used
 as the :term:`context` of each request to our application.  We do this to
@@ -49,14 +50,8 @@ our contexts, we can begin to make use of the declarative security features
 of :app:`Pyramid`.
 
 We'll modify our ``__init__.py``, passing in a :term:`root factory` to our
-:term:`Configurator` constructor.  We'll point it at a new class we create
-inside our ``models.py`` file.  Add the following statements to your
-``models.py`` file:
-
-.. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 1-4,35-39
-   :linenos:
-   :language: python
+:term:`Configurator` constructor.  We'll point it at the new class we created
+inside our ``models.py`` file.
 
 The ``RootFactory`` class we've just added will be used by :app:`Pyramid` to
 construct a ``context`` object.  The context is attached to the request
@@ -78,8 +73,11 @@ information about what an :term:`ACL` represents.
 We'll pass the ``RootFactory`` we created in the step above in as the
 ``root_factory`` argument to a :term:`Configurator`.
 
-Configuring an Authorization Policy
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add an Authorization Policy and an Authentication Policy
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We're going to be making several changes to our ``__init__.py`` file which
+will help us configure an authorization policy.
 
 For any :app:`Pyramid` application to perform authorization, we need to add a
 ``security.py`` module (we'll do that shortly) and we'll need to change our
@@ -87,16 +85,16 @@ For any :app:`Pyramid` application to perform authorization, we need to add a
 :term:`authorization policy` which uses the ``security.py`` file for a
 *callback*.
 
-We'll change our ``__init__.py`` file to enable an
-``AuthTktAuthenticationPolicy`` and an ``ACLAuthorizationPolicy`` to enable
-declarative security checking. We need to import the new policies:
+We'll enable an ``AuthTktAuthenticationPolicy`` and an ``ACLAuthorizationPolicy``
+to implement declarative security checking. Open ``tutorial/__init__.py`` and
+add these import statements:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 2-3,7
    :linenos:
    :language: python
 
-Then, we'll add those policies to the configuration:
+Now add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 16-22
@@ -112,7 +110,7 @@ represented by this policy: it is required.  The ``callback`` is a
 haven't added that module yet, but we're about to.
 
 Viewing Your Changes
-~~~~~~~~~~~~~~~~~~~~
+--------------------
 
 When we're done configuring a root factory, adding a authentication and
 authorization policies, and adding routes for ``/login`` and ``/logout``,
@@ -122,11 +120,12 @@ your application's ``__init__.py`` will look like this:
    :linenos:
    :language: python
 
-Adding ``security.py``
-----------------------
+Adding an authentication policy callback
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add a ``security.py`` module within your package (in the same directory as
-:file:`__init__.py`, :file:`views.py`, etc.) with the following content:
+Add a ``tutorial/security.py`` module within your package (in the same
+directory as :file:`__init__.py`, :file:`views.py`, etc.) with the
+following content:
 
 .. literalinclude:: src/authorization/tutorial/security.py
    :linenos:
@@ -152,7 +151,7 @@ and the permission associated with the ``add_page`` and ``edit_page``
 views, the ``editor`` user should be able to add and edit pages.
 
 Adding Login and Logout Views
------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 To our ``views.py`` we'll add a ``login`` view callable which renders a login
 form and processes the post from the login form, checking credentials.
@@ -203,7 +202,10 @@ head of the ``views.py`` file:
    :language: python
 
 Changing Existing Views
------------------------
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Add permision declarations
+--------------------------
 
 Then we need to change each of our ``view_page``, ``edit_page`` and
 ``add_page`` view callables in ``views.py``.  Within each of these views,
@@ -216,6 +218,9 @@ something like this to each view body:
    from pyramid.security import authenticated_userid
    logged_in = authenticated_userid(request)
 
+Return a logged_in flag to the renderer
+---------------------------------------
+
 We'll then change the return value of these views to pass the `resulting
 `logged_in`` value to the template, e.g.:
 
@@ -250,7 +255,7 @@ a user whom is a member of the group named ``group:editors`` will able to
 invoke the views associated with the ``add_page`` or ``edit_page`` routes.
 
 Adding the ``login.pt`` Template
---------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Add a ``login.pt`` template to your templates directory.  It's
 referred to within the login view we just added to ``views.py``.
@@ -258,8 +263,8 @@ referred to within the login view we just added to ``views.py``.
 .. literalinclude:: src/authorization/tutorial/templates/login.pt
    :language: xml
 
-Change ``view.pt`` and ``edit.pt``
-----------------------------------
+Add a "Logout" link when logged in
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 We'll also need to change our ``edit.pt`` and ``view.pt`` templates to
 display a "Logout" link if someone is logged in.  This link will
@@ -294,7 +299,7 @@ Our ``view.pt`` template will look something like this when we're done:
    :language: xml
 
 Viewing the Application in a Browser
-------------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 We can finally examine our application in a browser.  The views we'll
 try are as follows:
-- 
cgit v1.2.3


From e5958645c42b18c269f9da627c623fa686b8e336 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Tue, 13 Mar 2012 15:18:09 -0700
Subject: Improved the Authorization chapter

- Highlighted the added lines in the listings
- Simplified 'Viewing the application in a browser' and
  added link to Starting the application
---
 docs/tutorials/wiki2/authorization.rst | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index aadd5097f..b76fd9a6c 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -118,6 +118,7 @@ your application's ``__init__.py`` will look like this:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
+   :emphasize-lines: 2-3,7,16-18,20-22,25-26
    :language: python
 
 Adding an authentication policy callback
@@ -280,46 +281,56 @@ class="app-welcome align-right">`` div:
    </span>
 
 Seeing Our Changes To ``views.py`` and our Templates
-----------------------------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Our ``views.py`` module will look something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
+   :emphasize-lines: 11,14-18,56,59,71,74,89-115,117-121
    :language: python
 
+(Only the highlighted lines need to be added.)
+
 Our ``edit.pt`` template will look something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.pt
+   :emphasize-lines: 41-43
    :language: xml
 
+(Only the highlighted lines need to be added.)
+
 Our ``view.pt`` template will look something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.pt
+   :emphasize-lines: 41-43
    :language: xml
 
+(Only the highlighted lines need to be added.)
+
 Viewing the Application in a Browser
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We can finally examine our application in a browser.  The views we'll
-try are as follows:
+We can finally examine our application in a browser (See
+:ref:`wiki2-start-the-application`).  Launch a browser and visit
+each of the following URLs, check that the result is as expected:
 
-- Visiting ``http://localhost:6543/`` in a browser invokes the
+- ``http://localhost:6543/`` invokes the
   ``view_wiki`` view.  This always redirects to the ``view_page`` view
   of the FrontPage page object.  It is executable by any user.
 
-- Visiting ``http://localhost:6543/FrontPage`` in a browser invokes
+- ``http://localhost:6543/FrontPage`` invokes
   the ``view_page`` view of the FrontPage page object.
 
-- Visiting ``http://localhost:6543/FrontPage/edit_page`` in a browser
+- ``http://localhost:6543/edit_page/FrontPage``
   invokes the edit view for the FrontPage object.  It is executable by
   only the ``editor`` user.  If a different user (or the anonymous
   user) invokes it, a login form will be displayed.  Supplying the
   credentials with the username ``editor``, password ``editor`` will
   display the edit page form.
 
-- Visiting ``http://localhost:6543/add_page/SomePageName`` in a
-  browser invokes the add view for a page.  It is executable by only
+- ``http://localhost:6543/add_page/SomePageName``
+  invokes the add view for a page.  It is executable by only
   the ``editor`` user.  If a different user (or the anonymous user)
   invokes it, a login form will be displayed.  Supplying the
   credentials with the username ``editor``, password ``editor`` will
-- 
cgit v1.2.3


From 692fd6816616ed5b3cb9ef3c0f2c6eff2276da93 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sat, 17 Mar 2012 00:05:06 -0400
Subject: master->1.3-branch

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index b76fd9a6c..a40cbdb3a 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -27,8 +27,8 @@ We will do the following steps:
   (``view.pt``, ``edit.pt``).
 
 The source code for this tutorial stage can be browsed at
-`http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/
-<http://github.com/Pylons/pyramid/tree/master/docs/tutorials/wiki2/src/authorization/>`_.
+`http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/
+<http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/>`_.
 
 Adding A Root Factory
 ~~~~~~~~~~~~~~~~~~~~~
-- 
cgit v1.2.3


From b3e608bac815a7d3fc639d78ec38edc5f97df859 Mon Sep 17 00:00:00 2001
From: Doug Latornell <djl@douglatornell.ca>
Date: Sat, 17 Mar 2012 09:27:13 -0700
Subject: Improve text of SQLAlchemy wiki tutorial.

A mixture of typo fixes and wording improvements.
---
 docs/tutorials/wiki2/authorization.rst | 68 +++++++++++++++++-----------------
 1 file changed, 35 insertions(+), 33 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index b76fd9a6c..338ec54be 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -7,8 +7,8 @@ Adding Authorization
 :app:`Pyramid` provides facilities for :term:`authentication` and
 :term:`authorization`.  We'll make use of both features to provide security
 to our application.  Our application currently allows anyone with access to
-the server to view, edit, and add pages to our wiki.  We'll change our
-application to allow only people whom possess a specific username (`editor`)
+the server to view, edit, and add pages to our wiki.  We'll change that
+to allow only people who possess a specific username (`editor`)
 to add and edit wiki pages but we'll continue allowing anyone with access to
 the server to view pages.
 
@@ -41,13 +41,12 @@ Open ``models.py`` and add the following statements:
    :language: python
 
 We're going to start to use a custom :term:`root factory` within our
-``__init__.py`` file.  The objects generated by the root factory will be used
-as the :term:`context` of each request to our application.  We do this to
-allow :app:`Pyramid` declarative security to work properly.  The context
-object generated by the root factory during a request will be decorated with
-security declarations. When we begin to use a custom root factory to generate
-our contexts, we can begin to make use of the declarative security features
-of :app:`Pyramid`.
+``__init__.py`` file.  The objects generated by the root factory will
+be used as the :term:`context` of each request to our application.
+Those context objects will be decorated with security
+declarations. When we use a custom root factory to generate
+our contexts, we can begin to make use of the declarative security
+features of :app:`Pyramid`.
 
 We'll modify our ``__init__.py``, passing in a :term:`root factory` to our
 :term:`Configurator` constructor.  We'll point it at the new class we created
@@ -65,7 +64,7 @@ to a context is interpreted specially by :app:`Pyramid` as an access control
 list during view callable execution.  See :ref:`assigning_acls` for more
 information about what an :term:`ACL` represents.
 
-.. note: Although we don't use the functionality here, the ``factory`` used
+.. note:: Although we don't use the functionality here, the ``factory`` used
    to create route contexts may differ per-route as opposed to globally.  See
    the ``factory`` argument to
    :meth:`pyramid.config.Configurator.add_route` for more info.
@@ -147,9 +146,10 @@ We've given the ``editor`` user membership to the ``group:editors`` by
 mapping him to this group in the ``GROUPS`` data structure (``GROUPS =
 {'editor':['group:editors']}``).  Since the ``groupfinder`` function
 consults the ``GROUPS`` data structure, this will mean that, as a
-result of the ACL attached to the root returned by the root factory,
-and the permission associated with the ``add_page`` and ``edit_page``
-views, the ``editor`` user should be able to add and edit pages.
+result of the ACL attached to the :term:`context` object returned by
+the root factory, and the permission associated with the ``add_page``
+and ``edit_page`` views, the ``editor`` user should be able to add and
+edit pages.
 
 Adding Login and Logout Views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -176,20 +176,20 @@ The ``logout`` view callable will look something like this:
    :language: python
 
 The ``login`` view callable is decorated with two decorators, a
-``@view_config`` decorators, which associates it with the ``login`` route,
-the other a ``@forbidden_view_config`` decorator which turns it in to an
-:term:`exception view` when Pyramid raises a
-:class:`pyramid.httpexceptions.HTTPForbidden` exception.  The one which
-associates it with the ``login`` route makes it visible when we visit
-``/login``.  The other one makes it a :term:`forbidden view`.  The forbidden
-view is displayed whenever Pyramid or your application raises an
-HTTPForbidden exception.  In this case, we'll be relying on the forbidden
-view to show the login form whenver someone attempts to execute an action
-which they're not yet authorized to perform.
+``@view_config`` decorator, which associates it with the ``login``
+route, and a ``@forbidden_view_config`` decorator which turns it in to
+an :term:`exception view`.  The one which associates it with the
+``login`` route makes it visible when we visit ``/login``.  The other
+one makes it a :term:`forbidden view`.  The forbidden view is
+displayed whenever Pyramid or your application raises an
+:class:`pyramid.httpexceptions.HTTPForbidden` exception.  In this
+case, we'll be relying on the forbidden view to show the login form
+whenver someone attempts to execute an action which they're not yet
+authorized to perform.
 
 The ``logout`` view callable is decorated with a ``@view_config`` decorator
 which associates it with the ``logout`` route.  This makes it visible when we
-visit ``/login``.
+visit ``/logout``.
 
 We'll need to import some stuff to service the needs of these two functions:
 the ``pyramid.view.forbidden_view_config`` class, a number of values from the
@@ -222,8 +222,8 @@ something like this to each view body:
 Return a logged_in flag to the renderer
 ---------------------------------------
 
-We'll then change the return value of these views to pass the `resulting
-`logged_in`` value to the template, e.g.:
+We'll then change the return value of these views to pass the resulting
+``logged_in`` value to the template, e.g.:
 
 .. code-block:: python
    :linenos:
@@ -248,12 +248,14 @@ callables which these views reference cannot be invoked without the
 authenticated user possessing the ``edit`` permission with respect to the
 current :term:`context`.
 
-Adding these ``permission`` arguments causes Pyramid to make the assertion
-that only users who possess the effective ``edit`` permission at the time of
-the request may invoke those two views.  We've granted the ``group:editors``
-principal the ``edit`` permission at the root model via its ACL, so only the
-a user whom is a member of the group named ``group:editors`` will able to
-invoke the views associated with the ``add_page`` or ``edit_page`` routes.
+Adding these ``permission`` arguments causes Pyramid to make the
+assertion that only users who possess the effective ``edit``
+permission at the time of the request may invoke those two views.
+We've granted the ``group:editors`` :term:`principal` the ``edit``
+permission in the :term:`root factory` via its ACL, so only a user who
+is a member of the group named ``group:editors`` will be able to
+invoke the views associated with the ``add_page`` or ``edit_page``
+routes.
 
 Adding the ``login.pt`` Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -322,7 +324,7 @@ each of the following URLs, check that the result is as expected:
 - ``http://localhost:6543/FrontPage`` invokes
   the ``view_page`` view of the FrontPage page object.
 
-- ``http://localhost:6543/edit_page/FrontPage``
+- ``http://localhost:6543/FrontPage/edit_page``
   invokes the edit view for the FrontPage object.  It is executable by
   only the ``editor`` user.  If a different user (or the anonymous
   user) invokes it, a login form will be displayed.  Supplying the
-- 
cgit v1.2.3


From ef501bb1618e12ec9f0a57ba5cf873616f7c440a Mon Sep 17 00:00:00 2001
From: Doug Latornell <djl@douglatornell.ca>
Date: Sat, 17 Mar 2012 10:12:34 -0700
Subject: Fix typos.

---
 docs/tutorials/wiki2/authorization.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 338ec54be..c695c7da4 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -64,10 +64,12 @@ to a context is interpreted specially by :app:`Pyramid` as an access control
 list during view callable execution.  See :ref:`assigning_acls` for more
 information about what an :term:`ACL` represents.
 
-.. note:: Although we don't use the functionality here, the ``factory`` used
-   to create route contexts may differ per-route as opposed to globally.  See
-   the ``factory`` argument to
-   :meth:`pyramid.config.Configurator.add_route` for more info.
+.. note::
+
+    Although we don't use the functionality here, the ``factory`` used
+    to create route contexts may differ per-route as opposed to globally.  See
+    the ``factory`` argument to
+    :meth:`pyramid.config.Configurator.add_route` for more info.
 
 We'll pass the ``RootFactory`` we created in the step above in as the
 ``root_factory`` argument to a :term:`Configurator`.
-- 
cgit v1.2.3


From f67963b501d426401f3543ea3429f15236399567 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Mon, 26 Mar 2012 18:53:19 -0600
Subject: Mark line with yellow in SQL wiki - issue #510

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 8c1c50ff6..88698eebf 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -291,7 +291,7 @@ Our ``views.py`` module will look something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,14-18,56,59,71,74,89-115,117-121
+   :emphasize-lines: 11,14-18,56,59,71,74,86,89-115,117-121
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 611582fafe01261777289bf3bd71a83413f977ab Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 1 Apr 2012 08:21:39 -0500
Subject: Improved Adding Authorization in SQL wiki tutorial

- Removed unneeded logged_in assignment
- Moved up text to the corresponding section
- Normalize references to view callables
- Simplify text in Add permission declarations
---
 docs/tutorials/wiki2/authorization.rst | 73 ++++++++++++++--------------------
 1 file changed, 29 insertions(+), 44 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 88698eebf..55c2ab7d3 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -204,79 +204,64 @@ head of the ``views.py`` file:
    :linenos:
    :language: python
 
-Changing Existing Views
-~~~~~~~~~~~~~~~~~~~~~~~
+Add permission declarations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add permision declarations
---------------------------
-
-Then we need to change each of our ``view_page``, ``edit_page`` and
-``add_page`` view callables in ``views.py``.  Within each of these views,
-we'll need to pass a "logged in" parameter to its template.  We'll add
-something like this to each view body:
+Add a ``permission='edit'`` parameter to the ``@view_config``
+decorator for ``add_page()`` and ``edit_page()``, for example:
 
 .. code-block:: python
    :linenos:
 
-   from pyramid.security import authenticated_userid
-   logged_in = authenticated_userid(request)
+   @view_config(route_name='add_page', renderer='templates/edit.pt',
+                permission='edit')
+
+The result is that only users who possess the ``edit``
+permission at the time of the request may invoke those two views.
+
+We've granted the ``group:editors`` :term:`principal` the ``edit``
+permission in the :term:`root factory` via its ACL, so only a user who
+is a member of the group named ``group:editors`` will be able to
+invoke the views associated with the ``add_page`` or ``edit_page``
+routes.
 
 Return a logged_in flag to the renderer
----------------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We'll then change the return value of these views to pass the resulting
-``logged_in`` value to the template, e.g.:
+Change the return value of the ``view_page``,
+``edit_page`` and  ``add_page`` view callables in ``views.py``
+to pass a ``logged_in`` value to the template, e.g.:
 
 .. code-block:: python
    :linenos:
 
    return dict(page = page,
                content = content,
-               logged_in = logged_in,
+               logged_in = authenticated_userid(request),
                edit_url = edit_url)
 
-We'll also need to add a ``permission`` value to the ``@view_config``
-decorator for each of the ``add_page`` and ``edit_page`` view callables.  For
-each, we'll add ``permission='edit'``, for example:
-
-.. code-block:: python
-   :linenos:
-
-   @view_config(route_name='edit_page', renderer='templates/edit.pt',
-                permission='edit')
-
-See the ``permission='edit'`` we added there?  This indicates that the view
-callables which these views reference cannot be invoked without the
-authenticated user possessing the ``edit`` permission with respect to the
-current :term:`context`.
-
-Adding these ``permission`` arguments causes Pyramid to make the
-assertion that only users who possess the effective ``edit``
-permission at the time of the request may invoke those two views.
-We've granted the ``group:editors`` :term:`principal` the ``edit``
-permission in the :term:`root factory` via its ACL, so only a user who
-is a member of the group named ``group:editors`` will be able to
-invoke the views associated with the ``add_page`` or ``edit_page``
-routes.
-
 Adding the ``login.pt`` Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add a ``login.pt`` template to your templates directory.  It's
-referred to within the login view we just added to ``views.py``.
+Create ``tutorial/tutorial/templates/login.pt`` with the following
+content:
 
 .. literalinclude:: src/authorization/tutorial/templates/login.pt
    :language: xml
 
+The above template is referred to within the login view we just
+added to ``views.py``.
+
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We'll also need to change our ``edit.pt`` and ``view.pt`` templates to
+We'll change our ``edit.pt`` and ``view.pt`` templates to
 display a "Logout" link if someone is logged in.  This link will
 invoke the logout view.
 
-To do so we'll add this to both templates within the ``<div id="right"
-class="app-welcome align-right">`` div:
+Open ``tutorial/tutorial/templates/edit.pt`` and
+``tutorial/tutorial/templates/view.pt``  and add this within the
+``<div id="right" class="app-welcome align-right">`` div:
 
 .. code-block:: xml
 
-- 
cgit v1.2.3


From 9d05d137864df98bc1e3657f862921d2e7071ebc Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 1 Apr 2012 12:50:28 -0500
Subject: More simplification to the Authorization chapter

- Clarify the Adding A Root Factory section, include
  a related modification to __init__.py
- Added Add routes for /login and /logout section
- Added yellow higlighting in various listings
- Consolidate all the Seeing our changes at the end
- Use a 'do, then explain' pattern
---
 docs/tutorials/wiki2/authorization.rst | 138 +++++++++++++++++++++------------
 1 file changed, 90 insertions(+), 48 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 55c2ab7d3..c6c79086a 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -14,10 +14,12 @@ the server to view pages.
 
 We will do the following steps:
 
-* Add a :term:`root factory` with an :term:`ACL` (``models.py``).
+* Add a :term:`root factory` with an :term:`ACL` (``models.py``,
+  ``__init__.py``).
 * Add an :term:`authentication policy` and an :term:`authorization policy`
   (``__init__.py``).
 * Add an authentication policy callback (new ``security.py`` module).
+* Add routes for /login and /logout (``__init__.py``).
 * Add ``login`` and ``logout`` views (``views.py``).
 * Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
   views (``views.py``).
@@ -33,28 +35,40 @@ The source code for this tutorial stage can be browsed at
 Adding A Root Factory
 ~~~~~~~~~~~~~~~~~~~~~
 
-Open ``models.py`` and add the following statements:
+Open ``tutorial/tutorial/models.py`` and add the following import
+statement at the head:
 
 .. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 1-4,35-39
+   :lines: 1-4
    :linenos:
    :language: python
 
-We're going to start to use a custom :term:`root factory` within our
-``__init__.py`` file.  The objects generated by the root factory will
-be used as the :term:`context` of each request to our application.
-Those context objects will be decorated with security
-declarations. When we use a custom root factory to generate
-our contexts, we can begin to make use of the declarative security
-features of :app:`Pyramid`.
+Add the following class definition:
 
-We'll modify our ``__init__.py``, passing in a :term:`root factory` to our
-:term:`Configurator` constructor.  We'll point it at the new class we created
-inside our ``models.py`` file.
+.. literalinclude:: src/authorization/tutorial/models.py
+   :lines: 35-39
+   :linenos:
+   :language: python
+
+The ``RootFactory`` class is a :term:`root factory` that will be used by
+:app:`Pyramid` to construct the :term:`context` of each request to
+our application.  The context is attached to the request
+object passed to our view callables as the ``context`` attribute,
+and will be decorated with security declarations.   By using a custom
+root factory to generate our contexts, we can use the
+declarative security features of :app:`Pyramid`.
+
+Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory``
+parameter to our :term:`Configurator` constructor, that points to
+the class we created above:
+
+.. literalinclude:: src/authorization/tutorial/__init__.py
+   :lines: 19-20
+   :linenos:
+   :emphasize-lines: 2
+   :language: python
 
-The ``RootFactory`` class we've just added will be used by :app:`Pyramid` to
-construct a ``context`` object.  The context is attached to the request
-object passed to our view callables as the ``context`` attribute.
+(Only the highlighted line needs to be added.)
 
 The context object generated by our root factory will possess an ``__acl__``
 attribute that allows :data:`pyramid.security.Everyone` (a special principal)
@@ -71,15 +85,9 @@ information about what an :term:`ACL` represents.
     the ``factory`` argument to
     :meth:`pyramid.config.Configurator.add_route` for more info.
 
-We'll pass the ``RootFactory`` we created in the step above in as the
-``root_factory`` argument to a :term:`Configurator`.
-
 Add an Authorization Policy and an Authentication Policy
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We're going to be making several changes to our ``__init__.py`` file which
-will help us configure an authorization policy.
-
 For any :app:`Pyramid` application to perform authorization, we need to add a
 ``security.py`` module (we'll do that shortly) and we'll need to change our
 ``__init__.py`` file to add an :term:`authentication policy` and an
@@ -100,8 +108,11 @@ Now add those policies to the configuration:
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 16-22
    :linenos:
+   :emphasize-lines: 1-3,6-7
    :language: python
 
+(Only the highlighted lines need to be added.)
+
 Note that the
 :class:`pyramid.authentication.AuthTktAuthenticationPolicy` constructor
 accepts two arguments: ``secret`` and ``callback``.  ``secret`` is a string
@@ -110,31 +121,18 @@ represented by this policy: it is required.  The ``callback`` is a
 ``groupfinder`` function in the current directory's ``security.py`` file.  We
 haven't added that module yet, but we're about to.
 
-Viewing Your Changes
---------------------
-
-When we're done configuring a root factory, adding a authentication and
-authorization policies, and adding routes for ``/login`` and ``/logout``,
-your application's ``__init__.py`` will look like this:
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :linenos:
-   :emphasize-lines: 2-3,7,16-18,20-22,25-26
-   :language: python
-
 Adding an authentication policy callback
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add a ``tutorial/security.py`` module within your package (in the same
-directory as :file:`__init__.py`, :file:`views.py`, etc.) with the
+Create a new ``tutorial/tutorial/security.py`` module with the
 following content:
 
 .. literalinclude:: src/authorization/tutorial/security.py
    :linenos:
    :language: python
 
-The ``groupfinder`` function defined here is an :term:`authentication policy`
-"callback"; it is a callable that accepts a userid and a request.  If
+``groupfinder()`` is an :term:`authentication policy`
+"callback"; it is a function that accepts a userid and a request.  If
 the userid exists in the system, the callback will return a sequence
 of group identifiers (or an empty sequence if the user isn't a member
 of any groups).  If the userid *does not* exist in the system, the
@@ -153,6 +151,16 @@ the root factory, and the permission associated with the ``add_page``
 and ``edit_page`` views, the ``editor`` user should be able to add and
 edit pages.
 
+Add routes for /login and /logout
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Go back to ``tutorial/tutorial/__init__.py`` and add these two
+routes:
+
+.. literalinclude:: src/authorization/tutorial/__init__.py
+   :lines: 25-26
+   :linenos:
+   :language: python
+
 Adding Login and Logout Views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -197,13 +205,16 @@ We'll need to import some stuff to service the needs of these two functions:
 the ``pyramid.view.forbidden_view_config`` class, a number of values from the
 ``pyramid.security`` module, and a value from our newly added
 ``tutorial.security`` package.  Add the following import statements to the
-head of the ``views.py`` file:
+head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 9-18,24-25
    :linenos:
+   :emphasize-lines: 3,7-8,12
    :language: python
 
+(Only the highlighted lines need to be added.)
+
 Add permission declarations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -212,10 +223,13 @@ decorator for ``add_page()`` and ``edit_page()``, for example:
 
 .. code-block:: python
    :linenos:
+   :emphasize-lines: 2
 
    @view_config(route_name='add_page', renderer='templates/edit.pt',
                 permission='edit')
 
+(Only the highlighted line needs to be added.)
+
 The result is that only users who possess the ``edit``
 permission at the time of the request may invoke those two views.
 
@@ -228,18 +242,36 @@ routes.
 Return a logged_in flag to the renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Change the return value of the ``view_page``,
-``edit_page`` and  ``add_page`` view callables in ``views.py``
-to pass a ``logged_in`` value to the template, e.g.:
+Add the following import statement to the head of
+``tutorial/tutorial/views.py``:
+
+.. code-block:: python
+   :linenos:
+
+   from pyramid.security import (
+        authenticated_userid,
+        )
+
+
+Add a  ``logged_in`` parameter to the return value of
+``view_page()``, ``edit_page()`` and  ``add_page()``,
+like this:
 
 .. code-block:: python
    :linenos:
+   :emphasize-lines: 3
 
    return dict(page = page,
                content = content,
                logged_in = authenticated_userid(request),
                edit_url = edit_url)
 
+(Only the highlighted line needs to be added.)
+
+:meth:`~pyramid.security.authenticated_userid()` will return None
+if the user is not authenticated, or some user id it the user
+is authenticated.
+
 Adding the ``login.pt`` Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -255,10 +287,6 @@ added to ``views.py``.
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We'll change our ``edit.pt`` and ``view.pt`` templates to
-display a "Logout" link if someone is logged in.  This link will
-invoke the logout view.
-
 Open ``tutorial/tutorial/templates/edit.pt`` and
 ``tutorial/tutorial/templates/view.pt``  and add this within the
 ``<div id="right" class="app-welcome align-right">`` div:
@@ -269,8 +297,22 @@ Open ``tutorial/tutorial/templates/edit.pt`` and
       <a href="${request.application_url}/logout">Logout</a>
    </span>
 
-Seeing Our Changes To ``views.py`` and our Templates
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The attribute ``tal:condition="logged_in"`` will make the element be
+included when ``logged_in`` is any user id. The link will invoke
+the logout view.  The above element will not be included if ``logged_in``
+is ``None``, such as when a user is not authenticated.
+
+Seeing Our Changes
+~~~~~~~~~~~~~~~~~~
+
+Our ``__init__.py`` module will look something like this when we're done:
+
+.. literalinclude:: src/authorization/tutorial/__init__.py
+   :linenos:
+   :emphasize-lines: 2-3,7,16-18,20-22,25-26
+   :language: python
+
+(Only the highlighted lines need to be added.)
 
 Our ``views.py`` module will look something like this when we're done:
 
-- 
cgit v1.2.3


From 738f3d37aa722813e2469041b3a2f816aec21185 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 1 Apr 2012 17:48:36 -0500
Subject: Improve Authorization on SQL tutorial

- Simplified the authentication policy callback section
- Use full path for files in Seeing Our Changes
- Fixed a typo
---
 docs/tutorials/wiki2/authorization.rst | 39 ++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 16 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index c6c79086a..3573e06af 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -132,25 +132,28 @@ following content:
    :language: python
 
 ``groupfinder()`` is an :term:`authentication policy`
-"callback"; it is a function that accepts a userid and a request.  If
-the userid exists in the system, the callback will return a sequence
-of group identifiers (or an empty sequence if the user isn't a member
-of any groups).  If the userid *does not* exist in the system, the
-callback will return ``None``.  In a production system, user and group
-data will most often come from a database, but here we use "dummy"
-data to represent user and groups sources. Note that the ``editor``
-user is a member of the ``group:editors`` group in our dummy group
-data (the ``GROUPS`` data structure).
+"callback"; it is a function that accepts a userid and a request and
+returns one of these values:
+
+- If the userid exists in the system, the callback will return a
+  sequence of group identifiers (or an empty sequence if the user
+  isn't a member of any groups).
+- If the userid *does not* exist in the system, the callback will
+  return ``None``.
 
 We've given the ``editor`` user membership to the ``group:editors`` by
-mapping him to this group in the ``GROUPS`` data structure (``GROUPS =
-{'editor':['group:editors']}``).  Since the ``groupfinder`` function
+mapping him to this group in the ``GROUPS`` data structure above.
+Since the ``groupfinder`` function
 consults the ``GROUPS`` data structure, this will mean that, as a
 result of the ACL attached to the :term:`context` object returned by
 the root factory, and the permission associated with the ``add_page``
 and ``edit_page`` views, the ``editor`` user should be able to add and
 edit pages.
 
+In a production system, user and group
+data will most often come from a database, but here we use "dummy"
+data to represent user and groups sources.
+
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Go back to ``tutorial/tutorial/__init__.py`` and add these two
@@ -194,7 +197,7 @@ one makes it a :term:`forbidden view`.  The forbidden view is
 displayed whenever Pyramid or your application raises an
 :class:`pyramid.httpexceptions.HTTPForbidden` exception.  In this
 case, we'll be relying on the forbidden view to show the login form
-whenver someone attempts to execute an action which they're not yet
+whenever someone attempts to execute an action which they're not yet
 authorized to perform.
 
 The ``logout`` view callable is decorated with a ``@view_config`` decorator
@@ -305,7 +308,8 @@ is ``None``, such as when a user is not authenticated.
 Seeing Our Changes
 ~~~~~~~~~~~~~~~~~~
 
-Our ``__init__.py`` module will look something like this when we're done:
+Our ``tutorial/tutorial/__init__.py`` will look something like this
+when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
@@ -314,7 +318,8 @@ Our ``__init__.py`` module will look something like this when we're done:
 
 (Only the highlighted lines need to be added.)
 
-Our ``views.py`` module will look something like this when we're done:
+Our ``tutorial/tutorial/views.py`` will look something like this
+when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
@@ -323,7 +328,8 @@ Our ``views.py`` module will look something like this when we're done:
 
 (Only the highlighted lines need to be added.)
 
-Our ``edit.pt`` template will look something like this when we're done:
+Our ``tutorial/tutorial/templates/edit.pt`` template will look
+something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.pt
    :emphasize-lines: 41-43
@@ -331,7 +337,8 @@ Our ``edit.pt`` template will look something like this when we're done:
 
 (Only the highlighted lines need to be added.)
 
-Our ``view.pt`` template will look something like this when we're done:
+Our ``tutorial/tutorial/templates/view.pt`` template will look
+something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.pt
    :emphasize-lines: 41-43
-- 
cgit v1.2.3


From 10de7fd9ab77a54932cde314850239cbc1ad90bc Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Fri, 6 Apr 2012 16:10:26 -0500
Subject: Improve Authorization in the SQL tutorial

- Made the section headers more explicit and
  rearranged them in a group for access control
  and another for login/logout
- Split the summary in the two groups
- Added missing section Add routes for
  /login and /logout
- Clarify some sections
---
 docs/tutorials/wiki2/authorization.rst | 245 ++++++++++++++++-----------------
 1 file changed, 121 insertions(+), 124 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 3573e06af..6549418da 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -12,19 +12,27 @@ to allow only people who possess a specific username (`editor`)
 to add and edit wiki pages but we'll continue allowing anyone with access to
 the server to view pages.
 
-We will do the following steps:
+We will also add a login page and a logout link on all the
+pages.  The login page will be shown when a user is denied
+access to any of the views that require a permission, instead of
+a default "403 Forbidden" page.
 
-* Add a :term:`root factory` with an :term:`ACL` (``models.py``,
+We will implement the access control with the following steps:
+
+* Add users and groups (``security.py``, a new module).
+* Add an :term:`ACL` (``models.py`` and
   ``__init__.py``).
 * Add an :term:`authentication policy` and an :term:`authorization policy`
   (``__init__.py``).
-* Add an authentication policy callback (new ``security.py`` module).
-* Add routes for /login and /logout (``__init__.py``).
-* Add ``login`` and ``logout`` views (``views.py``).
 * Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
   views (``views.py``).
+
+Then we will add the login and logout feature:
+
+* Add routes for /login and /logout (``__init__.py``).
+* Add ``login`` and ``logout`` views (``views.py``).
+* Add a login template (``login.pt``).
 * Make the existing views return a ``logged_in`` flag to the renderer (``views.py``).
-* Add a login template (new ``login.pt``).
 * Add a "Logout" link to be shown when logged in and viewing or editing a page
   (``view.pt``, ``edit.pt``).
 
@@ -32,8 +40,37 @@ The source code for this tutorial stage can be browsed at
 `http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/
 <http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/>`_.
 
-Adding A Root Factory
-~~~~~~~~~~~~~~~~~~~~~
+Add users and groups
+~~~~~~~~~~~~~~~~~~~~
+
+Create a new ``tutorial/tutorial/security.py`` module with the
+following content:
+
+.. literalinclude:: src/authorization/tutorial/security.py
+   :linenos:
+   :language: python
+
+The ``groupfinder`` function accepts a userid and a request and
+returns one of these values:
+
+- If the userid exists in the system, it will return a
+  sequence of group identifiers (or an empty sequence if the user
+  isn't a member of any groups).
+- If the userid *does not* exist in the system, it will
+  return ``None``.
+
+For example, ``groupfinder('editor', request )`` returns ['group:editor'],
+``groupfinder('viewer', request)`` returns [], and ``groupfinder('admin', request)``
+returns ``None``.  We will use ``groupfinder()`` as an :term:`authentication policy`
+"callback" that will provide the :term:`principal` or principals
+for a user.
+
+In a production system, user and group
+data will most often come from a database, but here we use "dummy"
+data to represent user and groups sources.
+
+Add an ACL
+~~~~~~~~~~
 
 Open ``tutorial/tutorial/models.py`` and add the following import
 statement at the head:
@@ -50,13 +87,22 @@ Add the following class definition:
    :linenos:
    :language: python
 
-The ``RootFactory`` class is a :term:`root factory` that will be used by
-:app:`Pyramid` to construct the :term:`context` of each request to
-our application.  The context is attached to the request
-object passed to our view callables as the ``context`` attribute,
-and will be decorated with security declarations.   By using a custom
-root factory to generate our contexts, we can use the
-declarative security features of :app:`Pyramid`.
+We import :data:`~pyramid.security.Allow`, an action that
+means that permission is allowed:, and
+:data:`~pyramid.security.Everyone`, a special :term:`principal`
+that is associated to all requests.  Both are used in the
+:term:`ACE` entries that make up the ACL.
+
+The ACL is a list that needs to be named `__acl__` and be an
+attribute of a class.  We define an :term:`ACL` with two
+:term:`ACE` entries: the first entry allows any user the `view`
+permission.  The second entry allows the ``group:editors``
+principal  the `edit` permission.
+
+The ``RootFactory`` class that contains the ACL is a :term:`root factory`.
+We need to associate it to our :app:`Pyramid` application, so the ACL is
+provided to each view as the :term:`context` of each request, as
+the ``context`` attribute.
 
 Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory``
 parameter to our :term:`Configurator` constructor, that points to
@@ -70,13 +116,9 @@ the class we created above:
 
 (Only the highlighted line needs to be added.)
 
-The context object generated by our root factory will possess an ``__acl__``
-attribute that allows :data:`pyramid.security.Everyone` (a special principal)
-to view all pages, while allowing only a :term:`principal` named
-``group:editors`` to edit and add pages.  The ``__acl__`` attribute attached
-to a context is interpreted specially by :app:`Pyramid` as an access control
-list during view callable execution.  See :ref:`assigning_acls` for more
-information about what an :term:`ACL` represents.
+We are now providing the ACL to the application.  See
+:ref:`assigning_acls` for more information about what an
+:term:`ACL` represents.
 
 .. note::
 
@@ -85,17 +127,10 @@ information about what an :term:`ACL` represents.
     the ``factory`` argument to
     :meth:`pyramid.config.Configurator.add_route` for more info.
 
-Add an Authorization Policy and an Authentication Policy
+Add an Authentication Policy and an Authorization Policy
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-For any :app:`Pyramid` application to perform authorization, we need to add a
-``security.py`` module (we'll do that shortly) and we'll need to change our
-``__init__.py`` file to add an :term:`authentication policy` and an
-:term:`authorization policy` which uses the ``security.py`` file for a
-*callback*.
-
-We'll enable an ``AuthTktAuthenticationPolicy`` and an ``ACLAuthorizationPolicy``
-to implement declarative security checking. Open ``tutorial/__init__.py`` and
+Open ``tutorial/__init__.py`` and
 add these import statements:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
@@ -113,46 +148,37 @@ Now add those policies to the configuration:
 
 (Only the highlighted lines need to be added.)
 
+We are enabling an ``AuthTktAuthenticationPolicy``, it is based in an auth
+ticket that may be included in the request,  and an ``ACLAuthorizationPolicy``
+that uses an ACL to determine the allow or deny outcome for a view.
+
 Note that the
 :class:`pyramid.authentication.AuthTktAuthenticationPolicy` constructor
 accepts two arguments: ``secret`` and ``callback``.  ``secret`` is a string
 representing an encryption key used by the "authentication ticket" machinery
-represented by this policy: it is required.  The ``callback`` is a
-``groupfinder`` function in the current directory's ``security.py`` file.  We
-haven't added that module yet, but we're about to.
+represented by this policy: it is required.  The ``callback`` is the
+``groupfinder()`` function the we created before.
 
-Adding an authentication policy callback
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add permission declarations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Create a new ``tutorial/tutorial/security.py`` module with the
-following content:
+Add a ``permission='edit'`` parameter to the ``@view_config``
+decorator for ``add_page()`` and ``edit_page()``, for example:
 
-.. literalinclude:: src/authorization/tutorial/security.py
+.. code-block:: python
    :linenos:
-   :language: python
+   :emphasize-lines: 2
 
-``groupfinder()`` is an :term:`authentication policy`
-"callback"; it is a function that accepts a userid and a request and
-returns one of these values:
+   @view_config(route_name='add_page', renderer='templates/edit.pt',
+                permission='edit')
 
-- If the userid exists in the system, the callback will return a
-  sequence of group identifiers (or an empty sequence if the user
-  isn't a member of any groups).
-- If the userid *does not* exist in the system, the callback will
-  return ``None``.
+(Only the highlighted line needs to be added.)
 
-We've given the ``editor`` user membership to the ``group:editors`` by
-mapping him to this group in the ``GROUPS`` data structure above.
-Since the ``groupfinder`` function
-consults the ``GROUPS`` data structure, this will mean that, as a
-result of the ACL attached to the :term:`context` object returned by
-the root factory, and the permission associated with the ``add_page``
-and ``edit_page`` views, the ``editor`` user should be able to add and
-edit pages.
+The result is that only users who possess the ``edit``
+permission at the time of the request may invoke those two views.
 
-In a production system, user and group
-data will most often come from a database, but here we use "dummy"
-data to represent user and groups sources.
+We are done with the changes needed to control access.  The
+changes that follow will add the login and logout feature.
 
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -174,87 +200,70 @@ We'll also add a ``logout`` view callable to our application and
 provide a link to it.  This view will clear the credentials of the
 logged in user and redirect back to the front page.
 
-The ``login`` view callable will look something like this:
+Add the following import statements to the
+head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 89-115
+   :lines: 9-16,18,24-25
    :linenos:
+   :emphasize-lines: 3,6-9,11
    :language: python
 
-The ``logout`` view callable will look something like this:
+(Only the highlighted lines need to be added.)
+
+:meth:`~pyramid.view.forbidden_view_config` will be used
+to customize the default 403 Forbidden page.
+:meth:`~pyramid.security.remember` and
+:meth:`~pyramid.security.forget` help to create and
+expire an auth ticket cookie.
+
+Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 117-121
+   :lines: 89-121
    :linenos:
    :language: python
 
-The ``login`` view callable is decorated with two decorators, a
+``login()`` is decorated with two decorators, a
 ``@view_config`` decorator, which associates it with the ``login``
-route, and a ``@forbidden_view_config`` decorator which turns it in to
-an :term:`exception view`.  The one which associates it with the
-``login`` route makes it visible when we visit ``/login``.  The other
-one makes it a :term:`forbidden view`.  The forbidden view is
+route and makes it visible when we visit ``/login``,
+and a ``@forbidden_view_config`` decorator which turns it into
+an :term:`forbidden view`.  The forbidden view is
 displayed whenever Pyramid or your application raises an
 :class:`pyramid.httpexceptions.HTTPForbidden` exception.  In this
-case, we'll be relying on the forbidden view to show the login form
-whenever someone attempts to execute an action which they're not yet
+case we'll show the login form whenever someone attempts
+to execute an action which they're not yet
 authorized to perform.
 
-The ``logout`` view callable is decorated with a ``@view_config`` decorator
-which associates it with the ``logout`` route.  This makes it visible when we
+``logout()`` is decorated with a ``@view_config`` decorator
+which associates it with the ``logout`` route.  This makes it match when we
 visit ``/logout``.
 
-We'll need to import some stuff to service the needs of these two functions:
-the ``pyramid.view.forbidden_view_config`` class, a number of values from the
-``pyramid.security`` module, and a value from our newly added
-``tutorial.security`` package.  Add the following import statements to the
-head of ``tutorial/tutorial/views.py``:
-
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 9-18,24-25
-   :linenos:
-   :emphasize-lines: 3,7-8,12
-   :language: python
-
-(Only the highlighted lines need to be added.)
-
-Add permission declarations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Add a ``permission='edit'`` parameter to the ``@view_config``
-decorator for ``add_page()`` and ``edit_page()``, for example:
-
-.. code-block:: python
-   :linenos:
-   :emphasize-lines: 2
-
-   @view_config(route_name='add_page', renderer='templates/edit.pt',
-                permission='edit')
+Adding the ``login.pt`` Template
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-(Only the highlighted line needs to be added.)
+Create ``tutorial/tutorial/templates/login.pt`` with the following
+content:
 
-The result is that only users who possess the ``edit``
-permission at the time of the request may invoke those two views.
+.. literalinclude:: src/authorization/tutorial/templates/login.pt
+   :language: xml
 
-We've granted the ``group:editors`` :term:`principal` the ``edit``
-permission in the :term:`root factory` via its ACL, so only a user who
-is a member of the group named ``group:editors`` will be able to
-invoke the views associated with the ``add_page`` or ``edit_page``
-routes.
+The above template is referred to within the login view we just
+added to ``views.py``.
 
 Return a logged_in flag to the renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add the following import statement to the head of
+Add the following line to the import at the head of
 ``tutorial/tutorial/views.py``:
 
-.. code-block:: python
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 14-18
    :linenos:
+   :emphasize-lines: 4
+   :language: python
 
-   from pyramid.security import (
-        authenticated_userid,
-        )
-
+(Only the highlighted line needs to be added.)
 
 Add a  ``logged_in`` parameter to the return value of
 ``view_page()``, ``edit_page()`` and  ``add_page()``,
@@ -275,18 +284,6 @@ like this:
 if the user is not authenticated, or some user id it the user
 is authenticated.
 
-Adding the ``login.pt`` Template
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Create ``tutorial/tutorial/templates/login.pt`` with the following
-content:
-
-.. literalinclude:: src/authorization/tutorial/templates/login.pt
-   :language: xml
-
-The above template is referred to within the login view we just
-added to ``views.py``.
-
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3


From 89e011e72ae8bbec1e6d91cfbe7be83e2352d6fd Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Fri, 6 Apr 2012 17:51:53 -0500
Subject: Added first level sections, fixed route in the summary

---
 docs/tutorials/wiki2/authorization.rst | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 6549418da..14b075ce6 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -40,6 +40,9 @@ The source code for this tutorial stage can be browsed at
 `http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/
 <http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/>`_.
 
+Access Control
+--------------
+
 Add users and groups
 ~~~~~~~~~~~~~~~~~~~~
 
@@ -180,6 +183,9 @@ permission at the time of the request may invoke those two views.
 We are done with the changes needed to control access.  The
 changes that follow will add the login and logout feature.
 
+Login, Logout
+-------------
+
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Go back to ``tutorial/tutorial/__init__.py`` and add these two
@@ -303,7 +309,7 @@ the logout view.  The above element will not be included if ``logged_in``
 is ``None``, such as when a user is not authenticated.
 
 Seeing Our Changes
-~~~~~~~~~~~~~~~~~~
+------------------
 
 Our ``tutorial/tutorial/__init__.py`` will look something like this
 when we're done:
@@ -344,7 +350,7 @@ something like this when we're done:
 (Only the highlighted lines need to be added.)
 
 Viewing the Application in a Browser
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------
 
 We can finally examine our application in a browser (See
 :ref:`wiki2-start-the-application`).  Launch a browser and visit
-- 
cgit v1.2.3


From a435dba13c6bc0fd0199d06fdbb3e43a4f1263c7 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sat, 7 Apr 2012 10:51:58 -0500
Subject: Normalize Authorization in both tutorials 1

- Sync the content of the introduction and the
  Viewing the Application in a Browser sections
- Sync the section structure
---
 docs/tutorials/wiki2/authorization.rst | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 14b075ce6..9f2ffe9e1 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -8,9 +8,9 @@ Adding Authorization
 :term:`authorization`.  We'll make use of both features to provide security
 to our application.  Our application currently allows anyone with access to
 the server to view, edit, and add pages to our wiki.  We'll change that
-to allow only people who possess a specific username (`editor`)
-to add and edit wiki pages but we'll continue allowing anyone with access to
-the server to view pages.
+to allow only people who are members of a *group* named ``group:editors``
+to add and edit wiki pages but we'll continue allowing
+anyone with access to the server to view pages.
 
 We will also add a login page and a logout link on all the
 pages.  The login page will be shown when a user is denied
@@ -196,8 +196,8 @@ routes:
    :linenos:
    :language: python
 
-Adding Login and Logout Views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add Login and Logout Views
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 To our ``views.py`` we'll add a ``login`` view callable which renders a login
 form and processes the post from the login form, checking credentials.
@@ -245,8 +245,8 @@ authorized to perform.
 which associates it with the ``logout`` route.  This makes it match when we
 visit ``/logout``.
 
-Adding the ``login.pt`` Template
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add the ``login.pt`` Template
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Create ``tutorial/tutorial/templates/login.pt`` with the following
 content:
-- 
cgit v1.2.3


From 9168ec5a6b96824b35788bf7f1ab5cadb236b392 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sat, 7 Apr 2012 19:48:03 -0500
Subject: Ordered sections as per the summary

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 9f2ffe9e1..dcbea2b42 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -130,8 +130,8 @@ We are now providing the ACL to the application.  See
     the ``factory`` argument to
     :meth:`pyramid.config.Configurator.add_route` for more info.
 
-Add an Authentication Policy and an Authorization Policy
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add Authentication and Authorization Policies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Open ``tutorial/__init__.py`` and
 add these import statements:
-- 
cgit v1.2.3


From 6c3dd2f690c1a92aaf396d44f4b9450a477a67fc Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sat, 7 Apr 2012 21:01:25 -0500
Subject: Normalize Authorization in both tutorials 2

- Sync content of Add users and groups, and
  Add an ACL.
- Added yellow highlight to listings in
  Seeing our changes, added models.py
---
 docs/tutorials/wiki2/authorization.rst | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index dcbea2b42..75037da5f 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -104,7 +104,7 @@ principal  the `edit` permission.
 
 The ``RootFactory`` class that contains the ACL is a :term:`root factory`.
 We need to associate it to our :app:`Pyramid` application, so the ACL is
-provided to each view as the :term:`context` of each request, as
+provided to each view in the :term:`context` of the request, as
 the ``context`` attribute.
 
 Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory``
@@ -321,6 +321,16 @@ when we're done:
 
 (Only the highlighted lines need to be added.)
 
+Our ``tutorial/tutorial/models.py`` will look something like this
+when we're done:
+
+.. literalinclude:: src/authorization/tutorial/models.py
+   :linenos:
+   :emphasize-lines: 1-4,35-39
+   :language: python
+
+(Only the highlighted lines need to be added.)
+
 Our ``tutorial/tutorial/views.py`` will look something like this
 when we're done:
 
-- 
cgit v1.2.3


From c226b1ae080aa7d19c47626b07fe6d8ef6bbba9e Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 8 Apr 2012 07:34:21 -0500
Subject: Normalize Authorization in both tutorials 3

- Sync content in Adding Authentication and
  Authorization policies, Add permission
  declarations sections
- Added mising permission=view in SQL tutorial
- Moved __init__.py listing to Seeing our changes
---
 docs/tutorials/wiki2/authorization.rst | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 75037da5f..0bf50f674 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -160,7 +160,7 @@ Note that the
 accepts two arguments: ``secret`` and ``callback``.  ``secret`` is a string
 representing an encryption key used by the "authentication ticket" machinery
 represented by this policy: it is required.  The ``callback`` is the
-``groupfinder()`` function the we created before.
+``groupfinder()`` function that we created before.
 
 Add permission declarations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -180,6 +180,20 @@ decorator for ``add_page()`` and ``edit_page()``, for example:
 The result is that only users who possess the ``edit``
 permission at the time of the request may invoke those two views.
 
+Add a ``permission='view'`` parameter to the ``@view_config``
+decorator for ``view_wiki()`` and ``view_page()``, like this:
+
+.. code-block:: python
+   :linenos:
+   :emphasize-lines: 2
+
+   @view_config(route_name='view_page', renderer='templates/view.pt',
+                permission='view')
+
+(Only the highlighted line needs to be added.)
+
+This allows anyone to invoke these two views.
+
 We are done with the changes needed to control access.  The
 changes that follow will add the login and logout feature.
 
@@ -336,7 +350,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,14-18,56,59,71,74,86,89-115,117-121
+   :emphasize-lines: 11,14-18,31,37,58,61,73,76,88,91-117,119-123
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From fad5003b4f0cba6217c23e2f3aa40bf7cb4f8200 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 8 Apr 2012 09:13:06 -0500
Subject: Normalize Authorization in both tutorials 4

- Sync content of Add login and logout views,
  Add the login.pt template, Return a logged_in
  flag, Add a logout link sections
- Normalize sections of views.py
---
 docs/tutorials/wiki2/authorization.rst | 39 ++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 18 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 0bf50f674..0294f8690 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -213,8 +213,8 @@ routes:
 Add Login and Logout Views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-To our ``views.py`` we'll add a ``login`` view callable which renders a login
-form and processes the post from the login form, checking credentials.
+We'll add a ``login`` view which renders a login form and processes
+the post from the login form, checking credentials.
 
 We'll also add a ``logout`` view callable to our application and
 provide a link to it.  This view will clear the credentials of the
@@ -240,24 +240,27 @@ expire an auth ticket cookie.
 Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 89-121
+   :lines: 91-123
    :linenos:
    :language: python
 
-``login()`` is decorated with two decorators, a
-``@view_config`` decorator, which associates it with the ``login``
-route and makes it visible when we visit ``/login``,
-and a ``@forbidden_view_config`` decorator which turns it into
-an :term:`forbidden view`.  The forbidden view is
-displayed whenever Pyramid or your application raises an
-:class:`pyramid.httpexceptions.HTTPForbidden` exception.  In this
-case we'll show the login form whenever someone attempts
-to execute an action which they're not yet
-authorized to perform.
+``login()`` is decorated with two decorators:
+
+- a ``@view_config`` decorator which associates it with the
+  ``login`` route and makes it visible when we visit ``/login``,
+- a ``@forbidden_view_config`` decorator which turns it into
+  an :term:`forbidden view`. ``login()`` will be invoked
+  when a users tries to execute a view callable that
+  they are not allowed to.  For example, if a user has not logged in
+  and tries to add or edit a Wiki page, he will be shown the
+  login form before being allowed to continue on.
+
+The order of these two :term:`view configuration` decorators
+is unimportant.
 
 ``logout()`` is decorated with a ``@view_config`` decorator
-which associates it with the ``logout`` route.  This makes it match when we
-visit ``/logout``.
+which associates it with the ``logout`` route.  It will be
+invoked when we visit ``/logout``.
 
 Add the ``login.pt`` Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -291,12 +294,12 @@ like this:
 
 .. code-block:: python
    :linenos:
-   :emphasize-lines: 3
+   :emphasize-lines: 4
 
    return dict(page = page,
                content = content,
-               logged_in = authenticated_userid(request),
-               edit_url = edit_url)
+               edit_url = edit_url,
+               logged_in = authenticated_userid(request))
 
 (Only the highlighted line needs to be added.)
 
-- 
cgit v1.2.3


From 6d46a771ab8af1cd0dd61de0a99f898698c4a961 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sun, 8 Apr 2012 09:50:19 -0500
Subject: Final details

- Normalize the Seeing our changes section
- Changed import to recommended style
---
 docs/tutorials/wiki2/authorization.rst | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 0294f8690..2ef55d15b 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -362,6 +362,7 @@ Our ``tutorial/tutorial/templates/edit.pt`` template will look
 something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.pt
+   :linenos:
    :emphasize-lines: 41-43
    :language: xml
 
@@ -371,6 +372,7 @@ Our ``tutorial/tutorial/templates/view.pt`` template will look
 something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.pt
+   :linenos:
    :emphasize-lines: 41-43
    :language: xml
 
-- 
cgit v1.2.3


From b4f193258837f94d6e4d069f37538dc6f55af709 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Thu, 2 Aug 2012 00:37:26 -0400
Subject: closes #643

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 2ef55d15b..d7bd24a53 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -353,7 +353,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,14-18,31,37,58,61,73,76,88,91-117,119-123
+   :emphasize-lines: 11,14-18,25,31,37,58,61,73,76,88,91-117,119-123
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 098599b497fb6cd7c9372ceb795e9e8a416d573e Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sat, 22 Sep 2012 10:04:14 -0400
Subject: - Add ``Base.metadata.bind = engine`` to alchemy template, so that
 tables   defined imperatively will work.

- update wiki2 SQLA tutorial with the changes required after inserting
  ``Base.metadata.bind = engine`` into the alchemy scaffold.
---
 docs/tutorials/wiki2/authorization.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d7bd24a53..6b2d44410 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -112,7 +112,7 @@ parameter to our :term:`Configurator` constructor, that points to
 the class we created above:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 19-20
+   :lines: 23-24
    :linenos:
    :emphasize-lines: 2
    :language: python
@@ -144,7 +144,7 @@ add these import statements:
 Now add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 16-22
+   :lines: 20-26
    :linenos:
    :emphasize-lines: 1-3,6-7
    :language: python
@@ -206,7 +206,7 @@ Go back to ``tutorial/tutorial/__init__.py`` and add these two
 routes:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 25-26
+   :lines: 29-30
    :linenos:
    :language: python
 
@@ -333,7 +333,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
-   :emphasize-lines: 2-3,7,16-18,20-22,25-26
+   :emphasize-lines: 2-3,7,23-24,20-26,29-30
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 04875452db1da40bd8ed0841869d511b8d86527d Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sun, 4 Nov 2012 01:51:42 -0500
Subject: fix docs, upgrade tutorials, add change note, deprecate using
 zope.deprecation instead of a warning, make hashalg arg a kwarg in certain
 cases in case someone (maybe me) is using nonapi function imports from
 authentication

---
 docs/tutorials/wiki2/authorization.rst | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 6b2d44410..e3087dea5 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -151,15 +151,15 @@ Now add those policies to the configuration:
 
 (Only the highlighted lines need to be added.)
 
-We are enabling an ``AuthTktAuthenticationPolicy``, it is based in an auth
-ticket that may be included in the request,  and an ``ACLAuthorizationPolicy``
-that uses an ACL to determine the allow or deny outcome for a view.
-
-Note that the
-:class:`pyramid.authentication.AuthTktAuthenticationPolicy` constructor
-accepts two arguments: ``secret`` and ``callback``.  ``secret`` is a string
-representing an encryption key used by the "authentication ticket" machinery
-represented by this policy: it is required.  The ``callback`` is the
+We are enabling an ``SHA512AuthTktAuthenticationPolicy``, it is based in an
+auth ticket that may be included in the request, and an
+``ACLAuthorizationPolicy`` that uses an ACL to determine the allow or deny
+outcome for a view.
+
+Note that the :class:`pyramid.authentication.SHA512AuthTktAuthenticationPolicy`
+constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
+a string representing an encryption key used by the "authentication ticket"
+machinery represented by this policy: it is required.  The ``callback`` is the
 ``groupfinder()`` function that we created before.
 
 Add permission declarations
-- 
cgit v1.2.3


From 19b8207ff1e959669d296407ed112545364a495d Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sun, 4 Nov 2012 11:19:41 -0600
Subject: merged SHA512AuthTktAuthenticationPolicy into
 AuthTktAuthenticationPolicy

AuthTktAuthenticationPolicy now accepts a hashalg parameter and is no
longer deprecated. Docs recommend overriding hashalg and using 'sha512'.
---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index e3087dea5..1ddf8c82d 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -151,12 +151,12 @@ Now add those policies to the configuration:
 
 (Only the highlighted lines need to be added.)
 
-We are enabling an ``SHA512AuthTktAuthenticationPolicy``, it is based in an
+We are enabling an ``AuthTktAuthenticationPolicy``, it is based in an
 auth ticket that may be included in the request, and an
 ``ACLAuthorizationPolicy`` that uses an ACL to determine the allow or deny
 outcome for a view.
 
-Note that the :class:`pyramid.authentication.SHA512AuthTktAuthenticationPolicy`
+Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
 constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
 a string representing an encryption key used by the "authentication ticket"
 machinery represented by this policy: it is required.  The ``callback`` is the
-- 
cgit v1.2.3


From e90fa43a8051dfc8799596e17b72fd3d3def6516 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sat, 1 Dec 2012 19:43:02 -0600
Subject: Sync __init__.py in SQL wiki tutorial

- Update lines and emphasized-lines

- No line numbers if only a single line
---
 docs/tutorials/wiki2/authorization.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1ddf8c82d..ffaf1e35e 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -112,7 +112,7 @@ parameter to our :term:`Configurator` constructor, that points to
 the class we created above:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 23-24
+   :lines: 24-25
    :linenos:
    :emphasize-lines: 2
    :language: python
@@ -144,7 +144,7 @@ add these import statements:
 Now add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 20-26
+   :lines: 21-27
    :linenos:
    :emphasize-lines: 1-3,6-7
    :language: python
@@ -206,7 +206,7 @@ Go back to ``tutorial/tutorial/__init__.py`` and add these two
 routes:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 29-30
+   :lines: 30-31
    :linenos:
    :language: python
 
@@ -333,7 +333,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
-   :emphasize-lines: 2-3,7,23-24,20-26,29-30
+   :emphasize-lines: 2-3,7,21-23,25-27,30-31
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 479178179df2e3554d81d8c42d7ff46b75901c62 Mon Sep 17 00:00:00 2001
From: Patricio Paez <pp@pp.com.mx>
Date: Sat, 1 Dec 2012 22:30:50 -0600
Subject: Sync models.py in SQL wiki tutorial

- Update lines and emphasized-lines

- No line numbers if only a single line
---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index ffaf1e35e..d98fb87e4 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -86,7 +86,7 @@ statement at the head:
 Add the following class definition:
 
 .. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 35-39
+   :lines: 36-40
    :linenos:
    :language: python
 
@@ -343,7 +343,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/models.py
    :linenos:
-   :emphasize-lines: 1-4,35-39
+   :emphasize-lines: 1-4,36-40
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From fe197640038f0aa18a8d453e820df9e1b2d1bee7 Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Sat, 5 Jan 2013 15:18:36 +0200
Subject: typo

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d98fb87e4..cfbc8ca75 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -14,7 +14,7 @@ anyone with access to the server to view pages.
 
 We will also add a login page and a logout link on all the
 pages.  The login page will be shown when a user is denied
-access to any of the views that require a permission, instead of
+access to any of the views that require permission, instead of
 a default "403 Forbidden" page.
 
 We will implement the access control with the following steps:
-- 
cgit v1.2.3


From 064080f2496ef09eb79a0c370eb0db9dfd5c459c Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Sat, 5 Jan 2013 19:28:09 +0200
Subject: sentence too long; also fix grammar, and add markup

---
 docs/tutorials/wiki2/authorization.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d98fb87e4..933c37f94 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -62,7 +62,7 @@ returns one of these values:
 - If the userid *does not* exist in the system, it will
   return ``None``.
 
-For example, ``groupfinder('editor', request )`` returns ['group:editor'],
+For example, ``groupfinder('editor', request )`` returns ``['group:editor']``,
 ``groupfinder('viewer', request)`` returns [], and ``groupfinder('admin', request)``
 returns ``None``.  We will use ``groupfinder()`` as an :term:`authentication policy`
 "callback" that will provide the :term:`principal` or principals
@@ -151,10 +151,10 @@ Now add those policies to the configuration:
 
 (Only the highlighted lines need to be added.)
 
-We are enabling an ``AuthTktAuthenticationPolicy``, it is based in an
-auth ticket that may be included in the request, and an
-``ACLAuthorizationPolicy`` that uses an ACL to determine the allow or deny
-outcome for a view.
+We are enabling an ``AuthTktAuthenticationPolicy``, which is based in an
+auth ticket that may be included in the request.
+We are also enabling an ``ACLAuthorizationPolicy``, which uses an ACL to
+determine the *allow* or *deny* outcome for a view.
 
 Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
 constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
-- 
cgit v1.2.3


From 97895f871d1e2bd168e4bfb29d61472a44d3b0e9 Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Sat, 5 Jan 2013 20:14:25 +0200
Subject: no need to display the entire path

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d98fb87e4..ff269ef6b 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -156,7 +156,7 @@ auth ticket that may be included in the request, and an
 ``ACLAuthorizationPolicy`` that uses an ACL to determine the allow or deny
 outcome for a view.
 
-Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
+Note that the :class:`~pyramid.authentication.AuthTktAuthenticationPolicy`
 constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
 a string representing an encryption key used by the "authentication ticket"
 machinery represented by this policy: it is required.  The ``callback`` is the
-- 
cgit v1.2.3


From 998b3970c98baa0c591507f94e6ec32b65969045 Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Sat, 5 Jan 2013 20:38:25 +0200
Subject: remove info that should be obvious to the reader

---
 docs/tutorials/wiki2/authorization.rst | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d98fb87e4..03a06e304 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -303,9 +303,8 @@ like this:
 
 (Only the highlighted line needs to be added.)
 
-:meth:`~pyramid.security.authenticated_userid()` will return None
-if the user is not authenticated, or some user id it the user
-is authenticated.
+The :meth:`~pyramid.security.authenticated_userid` method will return None
+if the user is not authenticated.
 
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
cgit v1.2.3


From 445eb8708fa48209947377f6de609799dd843ad6 Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Sun, 20 Jan 2013 17:10:40 +0200
Subject: point to the sources of the wiki tutorials in just one location; fix
 #763

* This avoids having to update the link multiple times.
* Also, mention their location, in case user has Pyramid checkout.
---
 docs/tutorials/wiki2/authorization.rst | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 321f1f9c4..5ede26920 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -36,9 +36,6 @@ Then we will add the login and logout feature:
 * Add a "Logout" link to be shown when logged in and viewing or editing a page
   (``view.pt``, ``edit.pt``).
 
-The source code for this tutorial stage can be browsed at
-`http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/
-<http://github.com/Pylons/pyramid/tree/1.3-branch/docs/tutorials/wiki2/src/authorization/>`_.
 
 Access Control
 --------------
-- 
cgit v1.2.3


From 4febbc439b95ff29bcfca3bc33d123d80c304bd7 Mon Sep 17 00:00:00 2001
From: Tshepang Lekhonkhobe <tshepang@gmail.com>
Date: Mon, 25 Mar 2013 02:03:24 +0200
Subject: make example links clickable, for convenience

---
 docs/tutorials/wiki2/authorization.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 5ede26920..01c301e74 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -381,21 +381,21 @@ We can finally examine our application in a browser (See
 :ref:`wiki2-start-the-application`).  Launch a browser and visit
 each of the following URLs, check that the result is as expected:
 
-- ``http://localhost:6543/`` invokes the
+- http://localhost:6543/ invokes the
   ``view_wiki`` view.  This always redirects to the ``view_page`` view
   of the FrontPage page object.  It is executable by any user.
 
-- ``http://localhost:6543/FrontPage`` invokes
+- http://localhost:6543/FrontPage invokes
   the ``view_page`` view of the FrontPage page object.
 
-- ``http://localhost:6543/FrontPage/edit_page``
+- http://localhost:6543/FrontPage/edit_page
   invokes the edit view for the FrontPage object.  It is executable by
   only the ``editor`` user.  If a different user (or the anonymous
   user) invokes it, a login form will be displayed.  Supplying the
   credentials with the username ``editor``, password ``editor`` will
   display the edit page form.
 
-- ``http://localhost:6543/add_page/SomePageName``
+- http://localhost:6543/add_page/SomePageName
   invokes the add view for a page.  It is executable by only
   the ``editor`` user.  If a different user (or the anonymous user)
   invokes it, a login form will be displayed.  Supplying the
-- 
cgit v1.2.3


From 404b28ba2efb02d93777a3e01fd602c96af8c077 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 6 Sep 2013 00:02:46 -0500
Subject: update the code in the wiki and wiki2 tutorials to use
 pyramid_chameleon

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 01c301e74..df2e9e149 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -203,7 +203,7 @@ Go back to ``tutorial/tutorial/__init__.py`` and add these two
 routes:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 30-31
+   :lines: 31-32
    :linenos:
    :language: python
 
@@ -329,7 +329,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
-   :emphasize-lines: 2-3,7,21-23,25-27,30-31
+   :emphasize-lines: 2-3,7,21-23,25-27,31-32
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 24ac1ff6b4fbed346c18c759790ae1656a5fdcb3 Mon Sep 17 00:00:00 2001
From: Bert JW Regeer <bertjw@regeer.org>
Date: Fri, 6 Sep 2013 21:19:59 -0600
Subject: Update line numbers as appropriate

Removing __init__ moved some code around, update the line numbers as
appropriate so that the right sections of code get highlighted.
---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 01c301e74..2af56868c 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -83,7 +83,7 @@ statement at the head:
 Add the following class definition:
 
 .. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 36-40
+   :lines: 33-37
    :linenos:
    :language: python
 
@@ -339,7 +339,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/models.py
    :linenos:
-   :emphasize-lines: 1-4,36-40
+   :emphasize-lines: 1-4,33-37
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 3c2f95e8049bbd45b144d454daa68005361828b2 Mon Sep 17 00:00:00 2001
From: Matt Russell <mattr@netsight.co.uk>
Date: Thu, 24 Oct 2013 23:52:42 +0100
Subject: Security APIs on pyramid.request.Request

The pyramid.security Authorization API function has_permission is made available on the request.
The pyramid.security Authentication API functions are now available as
properties (unauthenticated_userid, authenticated_userid, effective_principals)
and methods (remember_userid, forget_userid) on pyramid.request.Request.

Backwards compatibility:
    For each of the APIs moved to request method or property,
    the original API in the pyramid.security module proxies to the request.

Reworked tests to check module level b/c wrappers call through to mixins for each API.
Tests that check no reg on request now do the right thing.
Use a response callback to set the request headers for forget_userid and remember_userid.

Update docs.

Attempt to improve a documentation section referencing the pyramid.security.has_permission
function in docs/narr/resources.rst

Ensures backwards compatiblity for `pyramid.security.forget`
and `pyramid.security.remember`.
---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index cf20db6d7..2b4263610 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -230,8 +230,8 @@ head of ``tutorial/tutorial/views.py``:
 
 :meth:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
-:meth:`~pyramid.security.remember` and
-:meth:`~pyramid.security.forget` help to create and
+:meth:`~pyramid.request.Request.remember_userid` and
+:meth:`~pyramid.request.Request.forget_userid` help to create and
 expire an auth ticket cookie.
 
 Now add the ``login`` and ``logout`` views:
-- 
cgit v1.2.3


From 3657ba974660677050fe4a62441c2073bd71203c Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Wed, 30 Oct 2013 20:08:58 -0400
Subject: fix wiki2 tutorial wrt request-method security APIs

---
 docs/tutorials/wiki2/authorization.rst | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 2b4263610..830cb0277 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -221,14 +221,14 @@ Add the following import statements to the
 head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 9-16,18,24-25
+   :lines: 9-12,19
    :linenos:
-   :emphasize-lines: 3,6-9,11
+   :emphasize-lines: 3,5
    :language: python
 
 (Only the highlighted lines need to be added.)
 
-:meth:`~pyramid.view.forbidden_view_config` will be used
+:func:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
 :meth:`~pyramid.request.Request.remember_userid` and
 :meth:`~pyramid.request.Request.forget_userid` help to create and
@@ -237,7 +237,7 @@ expire an auth ticket cookie.
 Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 91-123
+   :lines: 85-115
    :linenos:
    :language: python
 
@@ -274,17 +274,6 @@ added to ``views.py``.
 Return a logged_in flag to the renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add the following line to the import at the head of
-``tutorial/tutorial/views.py``:
-
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 14-18
-   :linenos:
-   :emphasize-lines: 4
-   :language: python
-
-(Only the highlighted line needs to be added.)
-
 Add a  ``logged_in`` parameter to the return value of
 ``view_page()``, ``edit_page()`` and  ``add_page()``,
 like this:
@@ -296,12 +285,12 @@ like this:
    return dict(page = page,
                content = content,
                edit_url = edit_url,
-               logged_in = authenticated_userid(request))
+               logged_in = request.authenticated_userid)
 
 (Only the highlighted line needs to be added.)
 
-The :meth:`~pyramid.security.authenticated_userid` method will return None
-if the user is not authenticated.
+The :attr:`~pyramid.request.Request.authenticated_userid` property will return
+``None`` if the user is not authenticated.
 
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -349,7 +338,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,14-18,25,31,37,58,61,73,76,88,91-117,119-123
+   :emphasize-lines: 11,19,25,31,52,55,67,70,82,85-115
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From 0dcd56c2c30863c6683c0cf442aa73dfdcd11b13 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sat, 9 Nov 2013 17:11:16 -0500
Subject: undeprecate remember/forget functions and remove
 remember_userid/forget_userid methods from request

---
 docs/tutorials/wiki2/authorization.rst | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 830cb0277..1e5d0dcbf 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -221,23 +221,23 @@ Add the following import statements to the
 head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 9-12,19
+   :lines: 9-19
    :linenos:
-   :emphasize-lines: 3,5
+   :emphasize-lines: 3,6-9,11
    :language: python
 
 (Only the highlighted lines need to be added.)
 
-:func:`~pyramid.view.forbidden_view_config` will be used
+:meth:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
-:meth:`~pyramid.request.Request.remember_userid` and
-:meth:`~pyramid.request.Request.forget_userid` help to create and
+:meth:`~pyramid.security.remember` and
+:meth:`~pyramid.security.forget` help to create and
 expire an auth ticket cookie.
 
 Now add the ``login`` and ``logout`` views:
 
 .. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 85-115
+   :lines: 91-123
    :linenos:
    :language: python
 
@@ -289,7 +289,7 @@ like this:
 
 (Only the highlighted line needs to be added.)
 
-The :attr:`~pyramid.request.Request.authenticated_userid` property will return
+The :meth:`~pyramid.request.Request.authenticated_userid` property will be
 ``None`` if the user is not authenticated.
 
 Add a "Logout" link when logged in
@@ -338,7 +338,7 @@ when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,19,25,31,52,55,67,70,82,85-115
+   :emphasize-lines: 11,14-19,25,31,37,58,61,73,76,88,91-117,119-123
    :language: python
 
 (Only the highlighted lines need to be added.)
-- 
cgit v1.2.3


From ee824a80bab0b30f7f8f466a9c93765b35c1c677 Mon Sep 17 00:00:00 2001
From: thapar <rajthapar@gmail.com>
Date: Mon, 17 Mar 2014 20:16:44 -0400
Subject: Added note to place login/logout route definitions before
 `/{pagename}` route

Resolves https://github.com/Pylons/pyramid/issues/1274
---
 docs/tutorials/wiki2/authorization.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1e5d0dcbf..1417dbdd8 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -207,6 +207,19 @@ routes:
    :linenos:
    :language: python
 
+.. note:: These lines must be added `before` this ``view_page`` route
+   definition:
+   .. literalinclude:: src/authorization/tutorial/__init__.py
+      :lines: 32
+      :linenos:
+      :language: python
+   This is because ``view_page``'s route definition uses a catch-all
+   "replacement marker" ``/{pagename}`` (see :ref:_route_pattern_syntax )
+   which will catch any route that was not already caught by any
+   route listed above it in ``__init__.py``. Hence, for ``login`` and
+   ``logout`` views to have the opportunity of being matched
+   (or "caught"), they must be above ``/{pagename}``.
+
 Add Login and Logout Views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- 
cgit v1.2.3


From b6d8cf9c2eb8f7dd03fa3487b8e401940c314fb4 Mon Sep 17 00:00:00 2001
From: thapar <rajthapar@gmail.com>
Date: Mon, 17 Mar 2014 21:26:01 -0400
Subject: Corrected inline markup to use * for italics

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1417dbdd8..e3811b338 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -207,7 +207,7 @@ routes:
    :linenos:
    :language: python
 
-.. note:: These lines must be added `before` this ``view_page`` route
+.. note:: These lines must be added *before* this ``view_page`` route
    definition:
    .. literalinclude:: src/authorization/tutorial/__init__.py
       :lines: 32
-- 
cgit v1.2.3


From cf4023ad25637720ed5ccd1e7cdffd24da4c47cb Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Fri, 21 Mar 2014 06:19:27 -0700
Subject: - correct bad .rst syntax

---
 docs/tutorials/wiki2/authorization.rst | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index e3811b338..2e35574fd 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -207,14 +207,16 @@ routes:
    :linenos:
    :language: python
 
-.. note:: These lines must be added *before* this ``view_page`` route
-   definition:
+.. note:: The preceding lines must be added *before* the following
+   ``view_page`` route definition:
+
    .. literalinclude:: src/authorization/tutorial/__init__.py
       :lines: 32
       :linenos:
       :language: python
+
    This is because ``view_page``'s route definition uses a catch-all
-   "replacement marker" ``/{pagename}`` (see :ref:_route_pattern_syntax )
+   "replacement marker" ``/{pagename}`` (see :ref:`route_pattern_syntax`)
    which will catch any route that was not already caught by any
    route listed above it in ``__init__.py``. Hence, for ``login`` and
    ``logout`` views to have the opportunity of being matched
-- 
cgit v1.2.3


From b2b56690f614acf13ed9c3c03fab51f0f3950c4f Mon Sep 17 00:00:00 2001
From: Antti Haapala <antti.haapala@anttipatterns.com>
Date: Tue, 14 Apr 2015 12:16:32 +0300
Subject: fixed documentation; wrong line in docs

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 2e35574fd..90a89d63e 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -211,7 +211,7 @@ routes:
    ``view_page`` route definition:
 
    .. literalinclude:: src/authorization/tutorial/__init__.py
-      :lines: 32
+      :lines: 33
       :linenos:
       :language: python
 
-- 
cgit v1.2.3


From 8d88c0ffa7b8e08215c7a06e130c84b2963f3279 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Mon, 25 May 2015 02:48:32 -0700
Subject: update templates, line numbers, file references

---
 docs/tutorials/wiki2/authorization.rst | 138 ++++++++++++++++++---------------
 1 file changed, 74 insertions(+), 64 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 90a89d63e..1f7af5654 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -80,15 +80,16 @@ statement at the head:
    :linenos:
    :language: python
 
-Add the following class definition:
+Add the following class definition at the end:
 
 .. literalinclude:: src/authorization/tutorial/models.py
    :lines: 33-37
    :linenos:
+   :lineno-start: 33
    :language: python
 
 We import :data:`~pyramid.security.Allow`, an action that
-means that permission is allowed:, and
+means that permission is allowed, and
 :data:`~pyramid.security.Everyone`, a special :term:`principal`
 that is associated to all requests.  Both are used in the
 :term:`ACE` entries that make up the ACL.
@@ -112,9 +113,10 @@ the class we created above:
    :lines: 24-25
    :linenos:
    :emphasize-lines: 2
+   :lineno-start: 16
    :language: python
 
-(Only the highlighted line needs to be added.)
+Only the highlighted line needs to be added.
 
 We are now providing the ACL to the application.  See
 :ref:`assigning_acls` for more information about what an
@@ -130,12 +132,13 @@ We are now providing the ACL to the application.  See
 Add Authentication and Authorization Policies
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/__init__.py`` and
-add these import statements:
+Open ``tutorial/tutorial/__init__.py`` and add the highlighted import
+statements:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 2-3,7
+   :lines: 1-7
    :linenos:
+   :emphasize-lines: 2-3,7
    :language: python
 
 Now add those policies to the configuration:
@@ -143,10 +146,11 @@ Now add those policies to the configuration:
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 21-27
    :linenos:
+   :lineno-start: 21
    :emphasize-lines: 1-3,6-7
    :language: python
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added.
 
 We are enabling an ``AuthTktAuthenticationPolicy``, which is based in an
 auth ticket that may be included in the request.
@@ -161,33 +165,38 @@ machinery represented by this policy: it is required.  The ``callback`` is the
 
 Add permission declarations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Open ``tutorial/tutorial/views.py`` and add a ``permission='edit'`` parameter
+to the ``@view_config`` decorators for ``add_page()`` and ``edit_page()``:
 
-Add a ``permission='edit'`` parameter to the ``@view_config``
-decorator for ``add_page()`` and ``edit_page()``, for example:
-
-.. code-block:: python
-   :linenos:
-   :emphasize-lines: 2
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 60-61
+   :emphasize-lines: 1-2
+   :language: python
 
-   @view_config(route_name='add_page', renderer='templates/edit.pt',
-                permission='edit')
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 75-76
+   :emphasize-lines: 1-2
+   :language: python
 
-(Only the highlighted line needs to be added.)
+Only the highlighted lines need to be added or edited.
 
 The result is that only users who possess the ``edit``
 permission at the time of the request may invoke those two views.
 
 Add a ``permission='view'`` parameter to the ``@view_config``
-decorator for ``view_wiki()`` and ``view_page()``, like this:
+decorator for ``view_wiki()`` and ``view_page()`` as follows:
 
-.. code-block:: python
-   :linenos:
-   :emphasize-lines: 2
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 30-31
+   :emphasize-lines: 1-2
+   :language: python
 
-   @view_config(route_name='view_page', renderer='templates/view.pt',
-                permission='view')
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 36-37
+   :emphasize-lines: 1-2
+   :language: python
 
-(Only the highlighted line needs to be added.)
+Only the highlighted lines need to be added or edited.
 
 This allows anyone to invoke these two views.
 
@@ -200,11 +209,11 @@ Login, Logout
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Go back to ``tutorial/tutorial/__init__.py`` and add these two
-routes:
+routes as highlighted:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 31-32
-   :linenos:
+   :lines: 30-33
+   :emphasize-lines: 2-3
    :language: python
 
 .. note:: The preceding lines must be added *before* the following
@@ -212,7 +221,6 @@ routes:
 
    .. literalinclude:: src/authorization/tutorial/__init__.py
       :lines: 33
-      :linenos:
       :language: python
 
    This is because ``view_page``'s route definition uses a catch-all
@@ -237,11 +245,10 @@ head of ``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 9-19
-   :linenos:
-   :emphasize-lines: 3,6-9,11
+   :emphasize-lines: 1-11
    :language: python
 
-(Only the highlighted lines need to be added.)
+All the highlighted lines need to be added or edited.
 
 :meth:`~pyramid.view.forbidden_view_config` will be used
 to customize the default 403 Forbidden page.
@@ -249,11 +256,10 @@ to customize the default 403 Forbidden page.
 :meth:`~pyramid.security.forget` help to create and
 expire an auth ticket cookie.
 
-Now add the ``login`` and ``logout`` views:
+Now add the ``login`` and ``logout`` views at the end of the file:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 91-123
-   :linenos:
    :language: python
 
 ``login()`` is decorated with two decorators:
@@ -286,23 +292,28 @@ content:
 The above template is referred to within the login view we just
 added to ``views.py``.
 
-Return a logged_in flag to the renderer
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Return a ``logged_in`` flag to the renderer
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add a  ``logged_in`` parameter to the return value of
-``view_page()``, ``edit_page()`` and  ``add_page()``,
-like this:
+Add a ``logged_in`` parameter to the return value of
+``view_page()``, ``edit_page()``, and ``add_page()`` as follows:
 
-.. code-block:: python
-   :linenos:
-   :emphasize-lines: 4
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 57-58
+   :emphasize-lines: 1-2
+   :language: python
+
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 72-73
+   :emphasize-lines: 1-2
+   :language: python
 
-   return dict(page = page,
-               content = content,
-               edit_url = edit_url,
-               logged_in = request.authenticated_userid)
+.. literalinclude:: src/authorization/tutorial/views.py
+   :lines: 85-89
+   :emphasize-lines: 3-4
+   :language: python
 
-(Only the highlighted line needs to be added.)
+Only the highlighted lines need to be added or edited.
 
 The :meth:`~pyramid.request.Request.authenticated_userid` property will be
 ``None`` if the user is not authenticated.
@@ -311,22 +322,21 @@ Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Open ``tutorial/tutorial/templates/edit.pt`` and
-``tutorial/tutorial/templates/view.pt``  and add this within the
-``<div id="right" class="app-welcome align-right">`` div:
-
-.. code-block:: xml
+``tutorial/tutorial/templates/view.pt`` and add the following code as
+indicated by the highlighted lines.
 
-   <span tal:condition="logged_in">
-      <a href="${request.application_url}/logout">Logout</a>
-   </span>
+.. literalinclude:: src/authorization/tutorial/templates/edit.pt
+   :lines: 34-38
+   :emphasize-lines: 3-5
+   :language: html
 
 The attribute ``tal:condition="logged_in"`` will make the element be
 included when ``logged_in`` is any user id. The link will invoke
 the logout view.  The above element will not be included if ``logged_in``
 is ``None``, such as when a user is not authenticated.
 
-Seeing Our Changes
-------------------
+Reviewing our changes
+---------------------
 
 Our ``tutorial/tutorial/__init__.py`` will look something like this
 when we're done:
@@ -336,7 +346,7 @@ when we're done:
    :emphasize-lines: 2-3,7,21-23,25-27,31-32
    :language: python
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added or edited.
 
 Our ``tutorial/tutorial/models.py`` will look something like this
 when we're done:
@@ -346,37 +356,37 @@ when we're done:
    :emphasize-lines: 1-4,33-37
    :language: python
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added or edited.
 
 Our ``tutorial/tutorial/views.py`` will look something like this
 when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
-   :emphasize-lines: 11,14-19,25,31,37,58,61,73,76,88,91-117,119-123
+   :emphasize-lines: 9-11,14-19,25,31,37,58,61,73,76,88,91-117,119-123
    :language: python
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added or edited.
 
 Our ``tutorial/tutorial/templates/edit.pt`` template will look
 something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.pt
    :linenos:
-   :emphasize-lines: 41-43
-   :language: xml
+   :emphasize-lines: 36-38
+   :language: html
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added or edited.
 
 Our ``tutorial/tutorial/templates/view.pt`` template will look
 something like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.pt
    :linenos:
-   :emphasize-lines: 41-43
-   :language: xml
+   :emphasize-lines: 36-38
+   :language: html
 
-(Only the highlighted lines need to be added.)
+Only the highlighted lines need to be added or edited.
 
 Viewing the Application in a Browser
 ------------------------------------
-- 
cgit v1.2.3


From 5f375c7603c0e240a60b884bf0ef39352c25c879 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Wed, 27 May 2015 02:44:38 -0700
Subject: - clean up and make consistent across both wikis authorization.rst -
 update templates and static assets to new theme

---
 docs/tutorials/wiki2/authorization.rst | 289 ++++++++++++++++-----------------
 1 file changed, 136 insertions(+), 153 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1f7af5654..125579e7f 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -1,27 +1,25 @@
 .. _wiki2_adding_authorization:
 
 ====================
-Adding Authorization
+Adding authorization
 ====================
 
 :app:`Pyramid` provides facilities for :term:`authentication` and
-:term:`authorization`.  We'll make use of both features to provide security
-to our application.  Our application currently allows anyone with access to
-the server to view, edit, and add pages to our wiki.  We'll change that
-to allow only people who are members of a *group* named ``group:editors``
-to add and edit wiki pages but we'll continue allowing
-anyone with access to the server to view pages.
-
-We will also add a login page and a logout link on all the
-pages.  The login page will be shown when a user is denied
-access to any of the views that require permission, instead of
-a default "403 Forbidden" page.
+::term:`authorization`.  We'll make use of both features to provide security
+:to our application.  Our application currently allows anyone with access to
+:the server to view, edit, and add pages to our wiki.  We'll change that to
+:allow only people who are members of a *group* named ``group:editors`` to add
+:and edit wiki pages but we'll continue allowing anyone with access to the
+:server to view pages.
+
+We will also add a login page and a logout link on all the pages.  The login
+page will be shown when a user is denied access to any of the views that
+require permission, instead of a default "403 Forbidden" page.
 
 We will implement the access control with the following steps:
 
 * Add users and groups (``security.py``, a new module).
-* Add an :term:`ACL` (``models.py`` and
-  ``__init__.py``).
+* Add an :term:`ACL` (``models.py`` and ``__init__.py``).
 * Add an :term:`authentication policy` and an :term:`authorization policy`
   (``__init__.py``).
 * Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
@@ -32,12 +30,13 @@ Then we will add the login and logout feature:
 * Add routes for /login and /logout (``__init__.py``).
 * Add ``login`` and ``logout`` views (``views.py``).
 * Add a login template (``login.pt``).
-* Make the existing views return a ``logged_in`` flag to the renderer (``views.py``).
+* Make the existing views return a ``logged_in`` flag to the renderer
+  (``views.py``).
 * Add a "Logout" link to be shown when logged in and viewing or editing a page
   (``view.pt``, ``edit.pt``).
 
 
-Access Control
+Access control
 --------------
 
 Add users and groups
@@ -53,21 +52,18 @@ following content:
 The ``groupfinder`` function accepts a userid and a request and
 returns one of these values:
 
-- If the userid exists in the system, it will return a
-  sequence of group identifiers (or an empty sequence if the user
-  isn't a member of any groups).
-- If the userid *does not* exist in the system, it will
-  return ``None``.
+- If the userid exists in the system, it will return a sequence of group
+  identifiers (or an empty sequence if the user isn't a member of any groups).
+- If the userid *does not* exist in the system, it will return ``None``.
 
 For example, ``groupfinder('editor', request )`` returns ``['group:editor']``,
-``groupfinder('viewer', request)`` returns [], and ``groupfinder('admin', request)``
-returns ``None``.  We will use ``groupfinder()`` as an :term:`authentication policy`
-"callback" that will provide the :term:`principal` or principals
-for a user.
+``groupfinder('viewer', request)`` returns ``[]``, and ``groupfinder('admin',
+request)`` returns ``None``.  We will use ``groupfinder()`` as an
+:term:`authentication policy` "callback" that will provide the
+:term:`principal` or principals for a user.
 
-In a production system, user and group
-data will most often come from a database, but here we use "dummy"
-data to represent user and groups sources.
+In a production system, user and group data will most often come from a
+database, but here we use "dummy" data to represent user and groups sources.
 
 Add an ACL
 ~~~~~~~~~~
@@ -88,26 +84,24 @@ Add the following class definition at the end:
    :lineno-start: 33
    :language: python
 
-We import :data:`~pyramid.security.Allow`, an action that
-means that permission is allowed, and
-:data:`~pyramid.security.Everyone`, a special :term:`principal`
-that is associated to all requests.  Both are used in the
+We import :data:`~pyramid.security.Allow`, an action that means that
+permission is allowed, and :data:`~pyramid.security.Everyone`, a special
+:term:`principal` that is associated to all requests.  Both are used in the
 :term:`ACE` entries that make up the ACL.
 
-The ACL is a list that needs to be named `__acl__` and be an
-attribute of a class.  We define an :term:`ACL` with two
-:term:`ACE` entries: the first entry allows any user the `view`
-permission.  The second entry allows the ``group:editors``
-principal  the `edit` permission.
+The ACL is a list that needs to be named `__acl__` and be an attribute of a
+class.  We define an :term:`ACL` with two :term:`ACE` entries: the first entry
+allows any user the `view` permission.  The second entry allows the
+``group:editors`` principal the `edit` permission.
 
-The ``RootFactory`` class that contains the ACL is a :term:`root factory`.
-We need to associate it to our :app:`Pyramid` application, so the ACL is
-provided to each view in the :term:`context` of the request, as
-the ``context`` attribute.
+The ``RootFactory`` class that contains the ACL is a :term:`root factory`. We
+need to associate it to our :app:`Pyramid` application, so the ACL is provided
+to each view in the :term:`context` of the request as the ``context``
+attribute.
 
-Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory``
-parameter to our :term:`Configurator` constructor, that points to
-the class we created above:
+Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory`` parameter to
+our :term:`Configurator` constructor, that points to the class we created
+above:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 24-25
@@ -118,18 +112,15 @@ the class we created above:
 
 Only the highlighted line needs to be added.
 
-We are now providing the ACL to the application.  See
-:ref:`assigning_acls` for more information about what an
-:term:`ACL` represents.
-
-.. note::
+We are now providing the ACL to the application.  See :ref:`assigning_acls`
+for more information about what an :term:`ACL` represents.
 
-    Although we don't use the functionality here, the ``factory`` used
-    to create route contexts may differ per-route as opposed to globally.  See
-    the ``factory`` argument to
-    :meth:`pyramid.config.Configurator.add_route` for more info.
+.. note:: Although we don't use the functionality here, the ``factory`` used
+   to create route contexts may differ per-route as opposed to globally.  See
+   the ``factory`` argument to :meth:`pyramid.config.Configurator.add_route`
+   for more info.
 
-Add Authentication and Authorization Policies
+Add authentication and authorization policies
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Open ``tutorial/tutorial/__init__.py`` and add the highlighted import
@@ -152,12 +143,12 @@ Now add those policies to the configuration:
 
 Only the highlighted lines need to be added.
 
-We are enabling an ``AuthTktAuthenticationPolicy``, which is based in an
-auth ticket that may be included in the request.
-We are also enabling an ``ACLAuthorizationPolicy``, which uses an ACL to
-determine the *allow* or *deny* outcome for a view.
+We are enabling an ``AuthTktAuthenticationPolicy``, which is based in an auth
+ticket that may be included in the request. We are also enabling an
+``ACLAuthorizationPolicy``, which uses an ACL to determine the *allow* or
+*deny* outcome for a view.
 
-Note that the :class:`~pyramid.authentication.AuthTktAuthenticationPolicy`
+Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
 constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
 a string representing an encryption key used by the "authentication ticket"
 machinery represented by this policy: it is required.  The ``callback`` is the
@@ -178,13 +169,14 @@ to the ``@view_config`` decorators for ``add_page()`` and ``edit_page()``:
    :emphasize-lines: 1-2
    :language: python
 
-Only the highlighted lines need to be added or edited.
+Only the highlighted lines, along with their preceding commas, need to be
+edited and added.
 
-The result is that only users who possess the ``edit``
-permission at the time of the request may invoke those two views.
+The result is that only users who possess the ``edit`` permission at the time
+of the request may invoke those two views.
 
-Add a ``permission='view'`` parameter to the ``@view_config``
-decorator for ``view_wiki()`` and ``view_page()`` as follows:
+Add a ``permission='view'`` parameter to the ``@view_config`` decorator for
+``view_wiki()`` and ``view_page()`` as follows:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 30-31
@@ -196,20 +188,21 @@ decorator for ``view_wiki()`` and ``view_page()`` as follows:
    :emphasize-lines: 1-2
    :language: python
 
-Only the highlighted lines need to be added or edited.
+Only the highlighted lines, along with their preceding commas, need to be
+edited and added.
 
 This allows anyone to invoke these two views.
 
-We are done with the changes needed to control access.  The
-changes that follow will add the login and logout feature.
+We are done with the changes needed to control access.  The changes that
+follow will add the login and logout feature.
 
-Login, Logout
+Login, logout
 -------------
 
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Go back to ``tutorial/tutorial/__init__.py`` and add these two
-routes as highlighted:
+Go back to ``tutorial/tutorial/__init__.py`` and add these two routes as
+highlighted:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 30-33
@@ -225,23 +218,23 @@ routes as highlighted:
 
    This is because ``view_page``'s route definition uses a catch-all
    "replacement marker" ``/{pagename}`` (see :ref:`route_pattern_syntax`)
-   which will catch any route that was not already caught by any
-   route listed above it in ``__init__.py``. Hence, for ``login`` and
-   ``logout`` views to have the opportunity of being matched
-   (or "caught"), they must be above ``/{pagename}``.
+   which will catch any route that was not already caught by any route listed
+   above it in ``__init__.py``. Hence, for ``login`` and ``logout`` views to
+   have the opportunity of being matched (or "caught"), they must be above
+   ``/{pagename}``.
 
-Add Login and Logout Views
+Add login and logout views
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-We'll add a ``login`` view which renders a login form and processes
-the post from the login form, checking credentials.
+We'll add a ``login`` view which renders a login form and processes the post
+from the login form, checking credentials.
 
-We'll also add a ``logout`` view callable to our application and
-provide a link to it.  This view will clear the credentials of the
-logged in user and redirect back to the front page.
+We'll also add a ``logout`` view callable to our application and provide a
+link to it.  This view will clear the credentials of the logged in user and
+redirect back to the front page.
 
-Add the following import statements to the
-head of ``tutorial/tutorial/views.py``:
+Add the following import statements to the head of
+``tutorial/tutorial/views.py``:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 9-19
@@ -250,11 +243,10 @@ head of ``tutorial/tutorial/views.py``:
 
 All the highlighted lines need to be added or edited.
 
-:meth:`~pyramid.view.forbidden_view_config` will be used
-to customize the default 403 Forbidden page.
-:meth:`~pyramid.security.remember` and
-:meth:`~pyramid.security.forget` help to create and
-expire an auth ticket cookie.
+:meth:`~pyramid.view.forbidden_view_config` will be used to customize the
+default 403 Forbidden page. :meth:`~pyramid.security.remember` and
+:meth:`~pyramid.security.forget` help to create and expire an auth ticket
+cookie.
 
 Now add the ``login`` and ``logout`` views at the end of the file:
 
@@ -262,41 +254,38 @@ Now add the ``login`` and ``logout`` views at the end of the file:
    :lines: 91-123
    :language: python
 
-``login()`` is decorated with two decorators:
+``login()`` has two decorators:
 
-- a ``@view_config`` decorator which associates it with the
-  ``login`` route and makes it visible when we visit ``/login``,
-- a ``@forbidden_view_config`` decorator which turns it into
-  an :term:`forbidden view`. ``login()`` will be invoked
-  when a users tries to execute a view callable that
-  they are not allowed to.  For example, if a user has not logged in
-  and tries to add or edit a Wiki page, he will be shown the
-  login form before being allowed to continue on.
+- a ``@view_config`` decorator which associates it with the ``login`` route
+  and makes it visible when we visit ``/login``,
+- a ``@forbidden_view_config`` decorator which turns it into a
+  :term:`forbidden view`. ``login()`` will be invoked when a user tries to
+  execute a view callable for which they lack authorization.  For example, if
+  a user has not logged in and tries to add or edit a Wiki page, they will be
+  shown the login form before being allowed to continue.
 
-The order of these two :term:`view configuration` decorators
-is unimportant.
+The order of these two :term:`view configuration` decorators is unimportant.
 
-``logout()`` is decorated with a ``@view_config`` decorator
-which associates it with the ``logout`` route.  It will be
-invoked when we visit ``/logout``.
+``logout()`` is decorated with a ``@view_config`` decorator which associates
+it with the ``logout`` route.  It will be invoked when we visit ``/logout``.
 
 Add the ``login.pt`` Template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Create ``tutorial/tutorial/templates/login.pt`` with the following
-content:
+Create ``tutorial/tutorial/templates/login.pt`` with the following content:
 
 .. literalinclude:: src/authorization/tutorial/templates/login.pt
-   :language: xml
+   :language: html
 
-The above template is referred to within the login view we just
-added to ``views.py``.
+The above template is referenced in the login view that we just added in
+``views.py``.
 
 Return a ``logged_in`` flag to the renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add a ``logged_in`` parameter to the return value of
-``view_page()``, ``edit_page()``, and ``add_page()`` as follows:
+Open ``tutorial/tutorial/views.py`` again. Add a ``logged_in`` parameter to
+the return value of ``view_page()``, ``edit_page()``, and ``add_page()`` as
+follows:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :lines: 57-58
@@ -315,8 +304,8 @@ Add a ``logged_in`` parameter to the return value of
 
 Only the highlighted lines need to be added or edited.
 
-The :meth:`~pyramid.request.Request.authenticated_userid` property will be
-``None`` if the user is not authenticated.
+The :meth:`pyramid.request.Request.authenticated_userid` will be ``None`` if
+the user is not authenticated, or a userid if the user is authenticated.
 
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -330,16 +319,15 @@ indicated by the highlighted lines.
    :emphasize-lines: 3-5
    :language: html
 
-The attribute ``tal:condition="logged_in"`` will make the element be
-included when ``logged_in`` is any user id. The link will invoke
-the logout view.  The above element will not be included if ``logged_in``
-is ``None``, such as when a user is not authenticated.
+The attribute ``tal:condition="logged_in"`` will make the element be included
+when ``logged_in`` is any user id. The link will invoke the logout view.  The
+above element will not be included if ``logged_in`` is ``None``, such as when
+a user is not authenticated.
 
 Reviewing our changes
 ---------------------
 
-Our ``tutorial/tutorial/__init__.py`` will look something like this
-when we're done:
+Our ``tutorial/tutorial/__init__.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
@@ -348,8 +336,7 @@ when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/models.py`` will look something like this
-when we're done:
+Our ``tutorial/tutorial/models.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/models.py
    :linenos:
@@ -358,8 +345,7 @@ when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/views.py`` will look something like this
-when we're done:
+Our ``tutorial/tutorial/views.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views.py
    :linenos:
@@ -368,8 +354,8 @@ when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/edit.pt`` template will look
-something like this when we're done:
+Our ``tutorial/tutorial/templates/edit.pt`` template will look like this when
+we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.pt
    :linenos:
@@ -378,8 +364,8 @@ something like this when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/view.pt`` template will look
-something like this when we're done:
+Our ``tutorial/tutorial/templates/view.pt`` template will look like this when
+we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.pt
    :linenos:
@@ -392,32 +378,29 @@ Viewing the Application in a Browser
 ------------------------------------
 
 We can finally examine our application in a browser (See
-:ref:`wiki2-start-the-application`).  Launch a browser and visit
-each of the following URLs, check that the result is as expected:
-
-- http://localhost:6543/ invokes the
-  ``view_wiki`` view.  This always redirects to the ``view_page`` view
-  of the FrontPage page object.  It is executable by any user.
-
-- http://localhost:6543/FrontPage invokes
-  the ``view_page`` view of the FrontPage page object.
-
-- http://localhost:6543/FrontPage/edit_page
-  invokes the edit view for the FrontPage object.  It is executable by
-  only the ``editor`` user.  If a different user (or the anonymous
-  user) invokes it, a login form will be displayed.  Supplying the
-  credentials with the username ``editor``, password ``editor`` will
-  display the edit page form.
-
-- http://localhost:6543/add_page/SomePageName
-  invokes the add view for a page.  It is executable by only
-  the ``editor`` user.  If a different user (or the anonymous user)
-  invokes it, a login form will be displayed.  Supplying the
-  credentials with the username ``editor``, password ``editor`` will
-  display the edit page form.
-
-- After logging in (as a result of hitting an edit or add page
-  and submitting the login form with the ``editor``
-  credentials), we'll see a Logout link in the upper right hand
-  corner.  When we click it, we're logged out, and redirected
-  back to the front page.
+:ref:`wiki2-start-the-application`).  Launch a browser and visit each of the
+following URLs, checking that the result is as expected:
+
+- http://localhost:6543/ invokes the ``view_wiki`` view.  This always
+  redirects to the ``view_page`` view of the ``FrontPage`` page object.  It
+  is executable by any user.
+
+- http://localhost:6543/FrontPage invokes the ``view_page`` view of the
+  ``FrontPage`` page object.
+
+- http://localhost:6543/FrontPage/edit_page invokes the edit view for the
+  FrontPage object.  It is executable by only the ``editor`` user.  If a
+  different user (or the anonymous user) invokes it, a login form will be
+  displayed.  Supplying the credentials with the username ``editor``, password
+  ``editor`` will display the edit page form.
+
+- http://localhost:6543/add_page/SomePageName invokes the add view for a page.
+  It is executable by only the ``editor`` user.  If a different user (or the
+  anonymous user) invokes it, a login form will be displayed. Supplying the
+  credentials with the username ``editor``, password ``editor`` will display
+  the edit page form.
+
+- After logging in (as a result of hitting an edit or add page and submitting
+  the login form with the ``editor`` credentials), we'll see a Logout link in
+  the upper right hand corner.  When we click it, we're logged out, and
+  redirected back to the front page.
-- 
cgit v1.2.3


From 6901d74698da7b8457f92f0771fe03015acb9261 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Wed, 27 May 2015 03:38:39 -0700
Subject: - clean up and make consistent across wiki tutorials - update
 templates and static assets for new design

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 125579e7f..d2ad7a9ca 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -374,7 +374,7 @@ we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Viewing the Application in a Browser
+Viewing the application in a browser
 ------------------------------------
 
 We can finally examine our application in a browser (See
-- 
cgit v1.2.3


From b5096d71dc30839474f390b488440cc589da5879 Mon Sep 17 00:00:00 2001
From: orangieboot <chris@affleck.eu>
Date: Thu, 11 Jun 2015 21:56:31 +0100
Subject: Update authorization.rst

Removed extra colons
---
 docs/tutorials/wiki2/authorization.rst | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index d2ad7a9ca..1d810b05b 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -5,12 +5,12 @@ Adding authorization
 ====================
 
 :app:`Pyramid` provides facilities for :term:`authentication` and
-::term:`authorization`.  We'll make use of both features to provide security
-:to our application.  Our application currently allows anyone with access to
-:the server to view, edit, and add pages to our wiki.  We'll change that to
-:allow only people who are members of a *group* named ``group:editors`` to add
-:and edit wiki pages but we'll continue allowing anyone with access to the
-:server to view pages.
+:term:`authorization`.  We'll make use of both features to provide security
+to our application.  Our application currently allows anyone with access to
+the server to view, edit, and add pages to our wiki.  We'll change that to
+allow only people who are members of a *group* named ``group:editors`` to add
+and edit wiki pages but we'll continue allowing anyone with access to the
+server to view pages.
 
 We will also add a login page and a logout link on all the pages.  The login
 page will be shown when a user is denied access to any of the views that
-- 
cgit v1.2.3


From a47f067ca7491b797402604fd78a5a1132964f4d Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Sun, 15 Nov 2015 05:36:13 -0800
Subject: wiki2/authorization.rst - progress on models and security from module
 to subpackage

---
 docs/tutorials/wiki2/authorization.rst | 51 ++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 24 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1d810b05b..98e6110f3 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -18,22 +18,22 @@ require permission, instead of a default "403 Forbidden" page.
 
 We will implement the access control with the following steps:
 
-* Add users and groups (``security.py``, a new module).
-* Add an :term:`ACL` (``models.py`` and ``__init__.py``).
+* Add users and groups (``security/default.py``, a new subpackage).
+* Add an :term:`ACL` (``models/mymodel.py`` and ``__init__.py``).
 * Add an :term:`authentication policy` and an :term:`authorization policy`
   (``__init__.py``).
 * Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
-  views (``views.py``).
+  views (``views/default.py``).
 
 Then we will add the login and logout feature:
 
 * Add routes for /login and /logout (``__init__.py``).
-* Add ``login`` and ``logout`` views (``views.py``).
-* Add a login template (``login.pt``).
+* Add ``login`` and ``logout`` views (``views/default.py``).
+* Add a login template (``login.jinja2``).
 * Make the existing views return a ``logged_in`` flag to the renderer
-  (``views.py``).
+  (``views/default.py``).
 * Add a "Logout" link to be shown when logged in and viewing or editing a page
-  (``view.pt``, ``edit.pt``).
+  (``view.jinja2``, ``edit.jinja2``).
 
 
 Access control
@@ -42,10 +42,10 @@ Access control
 Add users and groups
 ~~~~~~~~~~~~~~~~~~~~
 
-Create a new ``tutorial/tutorial/security.py`` module with the
+Create a new ``tutorial/tutorial/security/default.py`` subpackage with the
 following content:
 
-.. literalinclude:: src/authorization/tutorial/security.py
+.. literalinclude:: src/authorization/tutorial/security/default.py
    :linenos:
    :language: python
 
@@ -68,20 +68,21 @@ database, but here we use "dummy" data to represent user and groups sources.
 Add an ACL
 ~~~~~~~~~~
 
-Open ``tutorial/tutorial/models.py`` and add the following import
-statement at the head:
+Open ``tutorial/tutorial/models/mymodel.py`` and add the following import
+statement just after the ``Base`` import at the top:
 
-.. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 1-4
+.. literalinclude:: src/authorization/tutorial/models/mymodel.py
+   :lines: 3-6
    :linenos:
+   :lineno-start: 3
    :language: python
 
 Add the following class definition at the end:
 
-.. literalinclude:: src/authorization/tutorial/models.py
-   :lines: 33-37
+.. literalinclude:: src/authorization/tutorial/models/mymodel.py
+   :lines: 22-26
    :linenos:
-   :lineno-start: 33
+   :lineno-start: 22
    :language: python
 
 We import :data:`~pyramid.security.Allow`, an action that means that
@@ -90,9 +91,9 @@ permission is allowed, and :data:`~pyramid.security.Everyone`, a special
 :term:`ACE` entries that make up the ACL.
 
 The ACL is a list that needs to be named `__acl__` and be an attribute of a
-class.  We define an :term:`ACL` with two :term:`ACE` entries: the first entry
-allows any user the `view` permission.  The second entry allows the
-``group:editors`` principal the `edit` permission.
+class.  We define an :term:`ACL` with two :term:`ACE` entries.  The first entry
+allows any user (``Everyone``) the `view` permission.  The second entry allows
+the ``group:editors`` principal the `edit` permission.
 
 The ``RootFactory`` class that contains the ACL is a :term:`root factory`. We
 need to associate it to our :app:`Pyramid` application, so the ACL is provided
@@ -103,11 +104,11 @@ Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory`` parameter to
 our :term:`Configurator` constructor, that points to the class we created
 above:
 
+.. TODO update the lines to include, linenos, lineno-start
+
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 24-25
-   :linenos:
    :emphasize-lines: 2
-   :lineno-start: 16
    :language: python
 
 Only the highlighted line needs to be added.
@@ -336,11 +337,11 @@ Our ``tutorial/tutorial/__init__.py`` will look like this when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/models.py`` will look like this when we're done:
+Our ``tutorial/tutorial/models/mymodel.py`` will look like this when we're done:
 
-.. literalinclude:: src/authorization/tutorial/models.py
+.. literalinclude:: src/authorization/tutorial/models/mymodel.py
    :linenos:
-   :emphasize-lines: 1-4,33-37
+   :emphasize-lines: 3-6,22-26
    :language: python
 
 Only the highlighted lines need to be added or edited.
@@ -404,3 +405,5 @@ following URLs, checking that the result is as expected:
   the login form with the ``editor`` credentials), we'll see a Logout link in
   the upper right hand corner.  When we click it, we're logged out, and
   redirected back to the front page.
+
+.. TODO update the lines to include in src/authorization/tutorial/__init__.py
-- 
cgit v1.2.3


From 4040cf7ef5a9843e25db69b3a17b3796f3a39fb8 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Mon, 16 Nov 2015 00:17:20 -0800
Subject: - complete rewrite of wiki2/authorization.rst - add
 wiki2/src/authorization/ files - improve <title> tag in
 views/tutorial/templates/edit.jinja2

---
 docs/tutorials/wiki2/authorization.rst | 137 ++++++++++++++++-----------------
 1 file changed, 68 insertions(+), 69 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 98e6110f3..e40433497 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -104,10 +104,8 @@ Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory`` parameter to
 our :term:`Configurator` constructor, that points to the class we created
 above:
 
-.. TODO update the lines to include, linenos, lineno-start
-
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 24-25
+   :lines: 13-14
    :emphasize-lines: 2
    :language: python
 
@@ -128,18 +126,18 @@ Open ``tutorial/tutorial/__init__.py`` and add the highlighted import
 statements:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 1-7
+   :lines: 1-5
    :linenos:
-   :emphasize-lines: 2-3,7
+   :emphasize-lines: 2-5
    :language: python
 
 Now add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 21-27
+   :lines: 7-16
    :linenos:
-   :lineno-start: 21
-   :emphasize-lines: 1-3,6-7
+   :lineno-start: 7
+   :emphasize-lines: 4-6,9-10
    :language: python
 
 Only the highlighted lines need to be added.
@@ -152,47 +150,50 @@ ticket that may be included in the request. We are also enabling an
 Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
 constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
 a string representing an encryption key used by the "authentication ticket"
-machinery represented by this policy: it is required.  The ``callback`` is the
+machinery represented by this policy; it is required.  The ``callback`` is the
 ``groupfinder()`` function that we created before.
 
+
 Add permission declarations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Open ``tutorial/tutorial/views.py`` and add a ``permission='edit'`` parameter
-to the ``@view_config`` decorators for ``add_page()`` and ``edit_page()``:
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 60-61
+Open ``tutorial/tutorial/views/default.py`` and add a ``permission='view'``
+parameter to the ``@view_config`` decorator for ``view_wiki()`` and
+``view_page()`` as follows:
+
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 27-29
    :emphasize-lines: 1-2
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 75-76
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 33-35
    :emphasize-lines: 1-2
    :language: python
 
 Only the highlighted lines, along with their preceding commas, need to be
 edited and added.
 
-The result is that only users who possess the ``edit`` permission at the time
-of the request may invoke those two views.
+This allows anyone to invoke these two views.
 
-Add a ``permission='view'`` parameter to the ``@view_config`` decorator for
-``view_wiki()`` and ``view_page()`` as follows:
+Add a ``permission='edit'`` parameter to the ``@view_config`` decorators for
+``add_page()`` and ``edit_page()``:
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 30-31
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 57-59
    :emphasize-lines: 1-2
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 36-37
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 72-74
    :emphasize-lines: 1-2
    :language: python
 
 Only the highlighted lines, along with their preceding commas, need to be
 edited and added.
 
-This allows anyone to invoke these two views.
+The result is that only users who possess the ``edit`` permission at the time
+of the request may invoke those two views.
 
 We are done with the changes needed to control access.  The changes that
 follow will add the login and logout feature.
@@ -206,7 +207,7 @@ Go back to ``tutorial/tutorial/__init__.py`` and add these two routes as
 highlighted:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 30-33
+   :lines: 20-23
    :emphasize-lines: 2-3
    :language: python
 
@@ -214,7 +215,7 @@ highlighted:
    ``view_page`` route definition:
 
    .. literalinclude:: src/authorization/tutorial/__init__.py
-      :lines: 33
+      :lines: 23
       :language: python
 
    This is because ``view_page``'s route definition uses a catch-all
@@ -234,11 +235,11 @@ We'll also add a ``logout`` view callable to our application and provide a
 link to it.  This view will clear the credentials of the logged in user and
 redirect back to the front page.
 
-Add the following import statements to the head of
-``tutorial/tutorial/views.py``:
+Add the following import statements to ``tutorial/tutorial/views/default.py``
+after the import from ``pyramid.httpexceptions``:
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 9-19
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 10-20
    :emphasize-lines: 1-11
    :language: python
 
@@ -251,18 +252,18 @@ cookie.
 
 Now add the ``login`` and ``logout`` views at the end of the file:
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 91-123
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 88-121
    :language: python
 
 ``login()`` has two decorators:
 
 - a ``@view_config`` decorator which associates it with the ``login`` route
-  and makes it visible when we visit ``/login``,
+  and makes it visible when we visit ``/login``, and
 - a ``@forbidden_view_config`` decorator which turns it into a
   :term:`forbidden view`. ``login()`` will be invoked when a user tries to
   execute a view callable for which they lack authorization.  For example, if
-  a user has not logged in and tries to add or edit a Wiki page, they will be
+  a user has not logged in and tries to add or edit a wiki page, they will be
   shown the login form before being allowed to continue.
 
 The order of these two :term:`view configuration` decorators is unimportant.
@@ -270,36 +271,36 @@ The order of these two :term:`view configuration` decorators is unimportant.
 ``logout()`` is decorated with a ``@view_config`` decorator which associates
 it with the ``logout`` route.  It will be invoked when we visit ``/logout``.
 
-Add the ``login.pt`` Template
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add the ``login.jinja2`` template
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Create ``tutorial/tutorial/templates/login.pt`` with the following content:
+Create ``tutorial/tutorial/templates/login.jinja2`` with the following content:
 
-.. literalinclude:: src/authorization/tutorial/templates/login.pt
+.. literalinclude:: src/authorization/tutorial/templates/login.jinja2
    :language: html
 
 The above template is referenced in the login view that we just added in
-``views.py``.
+``views/default.py``.
 
 Return a ``logged_in`` flag to the renderer
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/tutorial/views.py`` again. Add a ``logged_in`` parameter to
-the return value of ``view_page()``, ``edit_page()``, and ``add_page()`` as
-follows:
+Open ``tutorial/tutorial/views/default.py`` again. Add a ``logged_in``
+parameter to the return value of ``view_page()``, ``add_page()``, and
+``edit_page()`` as follows:
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 57-58
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 54-55
    :emphasize-lines: 1-2
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 72-73
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 69-70
    :emphasize-lines: 1-2
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views.py
-   :lines: 85-89
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 82-86
    :emphasize-lines: 3-4
    :language: python
 
@@ -311,19 +312,19 @@ the user is not authenticated, or a userid if the user is authenticated.
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/tutorial/templates/edit.pt`` and
-``tutorial/tutorial/templates/view.pt`` and add the following code as
+Open ``tutorial/tutorial/templates/edit.jinja2`` and
+``tutorial/tutorial/templates/view.jinja2`` and add the following code as
 indicated by the highlighted lines.
 
-.. literalinclude:: src/authorization/tutorial/templates/edit.pt
-   :lines: 34-38
-   :emphasize-lines: 3-5
+.. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
+   :lines: 34-40
+   :emphasize-lines: 3-7
    :language: html
 
-The attribute ``tal:condition="logged_in"`` will make the element be included
-when ``logged_in`` is any user id. The link will invoke the logout view.  The
-above element will not be included if ``logged_in`` is ``None``, such as when
-a user is not authenticated.
+The attribute ``logged_in`` will make the element be included when
+``logged_in`` is any user id.  The link will invoke the logout view.  The above
+element will not be included if ``logged_in`` is ``None``, such as when a user
+is not authenticated.
 
 Reviewing our changes
 ---------------------
@@ -332,7 +333,7 @@ Our ``tutorial/tutorial/__init__.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
-   :emphasize-lines: 2-3,7,21-23,25-27,31-32
+   :emphasize-lines: 2-3,5,10-12,14-16,21-22
    :language: python
 
 Only the highlighted lines need to be added or edited.
@@ -346,31 +347,31 @@ Our ``tutorial/tutorial/models/mymodel.py`` will look like this when we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/views.py`` will look like this when we're done:
+Our ``tutorial/tutorial/views/default.py`` will look like this when we're done:
 
-.. literalinclude:: src/authorization/tutorial/views.py
+.. literalinclude:: src/authorization/tutorial/views/default.py
    :linenos:
-   :emphasize-lines: 9-11,14-19,25,31,37,58,61,73,76,88,91-117,119-123
+   :emphasize-lines: 10-20,27-28,33-34,54-55,57-58,69-70,72-73,84-85,88-121
    :language: python
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/edit.pt`` template will look like this when
+Our ``tutorial/tutorial/templates/edit.jinja2`` template will look like this when
 we're done:
 
-.. literalinclude:: src/authorization/tutorial/templates/edit.pt
+.. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
    :linenos:
-   :emphasize-lines: 36-38
+   :emphasize-lines: 36-40
    :language: html
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/view.pt`` template will look like this when
+Our ``tutorial/tutorial/templates/view.jinja2`` template will look like this when
 we're done:
 
-.. literalinclude:: src/authorization/tutorial/templates/view.pt
+.. literalinclude:: src/authorization/tutorial/templates/view.jinja2
    :linenos:
-   :emphasize-lines: 36-38
+   :emphasize-lines: 36-40
    :language: html
 
 Only the highlighted lines need to be added or edited.
@@ -405,5 +406,3 @@ following URLs, checking that the result is as expected:
   the login form with the ``editor`` credentials), we'll see a Logout link in
   the upper right hand corner.  When we click it, we're logged out, and
   redirected back to the front page.
-
-.. TODO update the lines to include in src/authorization/tutorial/__init__.py
-- 
cgit v1.2.3


From 14cff75aca9c2858d0575d8e6beba9758eb012d6 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sun, 7 Feb 2016 23:39:33 -0600
Subject: update authorization chapter of wiki2 tutorial

---
 docs/tutorials/wiki2/authorization.rst | 115 ++++++++++++---------------------
 1 file changed, 40 insertions(+), 75 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index e40433497..1ee5cc714 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -42,7 +42,7 @@ Access control
 Add users and groups
 ~~~~~~~~~~~~~~~~~~~~
 
-Create a new ``tutorial/tutorial/security/default.py`` subpackage with the
+Create a new ``tutorial/security/default.py`` subpackage with the
 following content:
 
 .. literalinclude:: src/authorization/tutorial/security/default.py
@@ -68,21 +68,17 @@ database, but here we use "dummy" data to represent user and groups sources.
 Add an ACL
 ~~~~~~~~~~
 
-Open ``tutorial/tutorial/models/mymodel.py`` and add the following import
-statement just after the ``Base`` import at the top:
+Open ``tutorial/models/mymodel.py`` and add the following import
+statement at the top:
 
 .. literalinclude:: src/authorization/tutorial/models/mymodel.py
-   :lines: 3-6
-   :linenos:
-   :lineno-start: 3
+   :lines: 1-4
    :language: python
 
 Add the following class definition at the end:
 
 .. literalinclude:: src/authorization/tutorial/models/mymodel.py
-   :lines: 22-26
-   :linenos:
-   :lineno-start: 22
+   :lines: 22-29
    :language: python
 
 We import :data:`~pyramid.security.Allow`, an action that means that
@@ -100,13 +96,13 @@ need to associate it to our :app:`Pyramid` application, so the ACL is provided
 to each view in the :term:`context` of the request as the ``context``
 attribute.
 
-Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory`` parameter to
-our :term:`Configurator` constructor, that points to the class we created
-above:
+Open ``tutorial/__init__.py`` and define a new root factory using
+:meth:`pyramid.config.Configurator.set_root_factory` using the class that we
+created above:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 13-14
-   :emphasize-lines: 2
+   :lines: 14-17
+   :emphasize-lines: 17
    :language: python
 
 Only the highlighted line needs to be added.
@@ -122,22 +118,19 @@ for more information about what an :term:`ACL` represents.
 Add authentication and authorization policies
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/tutorial/__init__.py`` and add the highlighted import
+Open ``tutorial/__init__.py`` and add the highlighted import
 statements:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :lines: 1-5
-   :linenos:
    :emphasize-lines: 2-5
    :language: python
 
 Now add those policies to the configuration:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 7-16
-   :linenos:
-   :lineno-start: 7
-   :emphasize-lines: 4-6,9-10
+   :lines: 11-19
+   :emphasize-lines: 1-3,8-9
    :language: python
 
 Only the highlighted lines need to be added.
@@ -157,17 +150,17 @@ machinery represented by this policy; it is required.  The ``callback`` is the
 Add permission declarations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/tutorial/views/default.py`` and add a ``permission='view'``
+Open ``tutorial/views/default.py`` and add a ``permission='view'``
 parameter to the ``@view_config`` decorator for ``view_wiki()`` and
 ``view_page()`` as follows:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 27-29
-   :emphasize-lines: 1-2
+   :lines: 24-25
+   :emphasize-lines: 1
    :language: python
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 33-35
+   :lines: 29-31
    :emphasize-lines: 1-2
    :language: python
 
@@ -180,12 +173,12 @@ Add a ``permission='edit'`` parameter to the ``@view_config`` decorators for
 ``add_page()`` and ``edit_page()``:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 57-59
+   :lines: 52-54
    :emphasize-lines: 1-2
    :language: python
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 72-74
+   :lines: 66-68
    :emphasize-lines: 1-2
    :language: python
 
@@ -203,11 +196,11 @@ Login, logout
 
 Add routes for /login and /logout
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Go back to ``tutorial/tutorial/__init__.py`` and add these two routes as
+Go back to ``tutorial/__init__.py`` and add these two routes as
 highlighted:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 20-23
+   :lines: 21-24
    :emphasize-lines: 2-3
    :language: python
 
@@ -215,7 +208,7 @@ highlighted:
    ``view_page`` route definition:
 
    .. literalinclude:: src/authorization/tutorial/__init__.py
-      :lines: 23
+      :lines: 24
       :language: python
 
    This is because ``view_page``'s route definition uses a catch-all
@@ -235,12 +228,12 @@ We'll also add a ``logout`` view callable to our application and provide a
 link to it.  This view will clear the credentials of the logged in user and
 redirect back to the front page.
 
-Add the following import statements to ``tutorial/tutorial/views/default.py``
+Add the following import statements to ``tutorial/views/default.py``
 after the import from ``pyramid.httpexceptions``:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 10-20
-   :emphasize-lines: 1-11
+   :lines: 9-19
+   :emphasize-lines: 1-8,11
    :language: python
 
 All the highlighted lines need to be added or edited.
@@ -253,7 +246,7 @@ cookie.
 Now add the ``login`` and ``logout`` views at the end of the file:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 88-121
+   :lines: 81-112
    :language: python
 
 ``login()`` has two decorators:
@@ -274,7 +267,7 @@ it with the ``logout`` route.  It will be invoked when we visit ``/logout``.
 Add the ``login.jinja2`` template
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Create ``tutorial/tutorial/templates/login.jinja2`` with the following content:
+Create ``tutorial/templates/login.jinja2`` with the following content:
 
 .. literalinclude:: src/authorization/tutorial/templates/login.jinja2
    :language: html
@@ -282,38 +275,11 @@ Create ``tutorial/tutorial/templates/login.jinja2`` with the following content:
 The above template is referenced in the login view that we just added in
 ``views/default.py``.
 
-Return a ``logged_in`` flag to the renderer
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Open ``tutorial/tutorial/views/default.py`` again. Add a ``logged_in``
-parameter to the return value of ``view_page()``, ``add_page()``, and
-``edit_page()`` as follows:
-
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 54-55
-   :emphasize-lines: 1-2
-   :language: python
-
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 69-70
-   :emphasize-lines: 1-2
-   :language: python
-
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 82-86
-   :emphasize-lines: 3-4
-   :language: python
-
-Only the highlighted lines need to be added or edited.
-
-The :meth:`pyramid.request.Request.authenticated_userid` will be ``None`` if
-the user is not authenticated, or a userid if the user is authenticated.
-
 Add a "Logout" link when logged in
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Open ``tutorial/tutorial/templates/edit.jinja2`` and
-``tutorial/tutorial/templates/view.jinja2`` and add the following code as
+Open ``tutorial/templates/edit.jinja2`` and
+``tutorial/templates/view.jinja2`` and add the following code as
 indicated by the highlighted lines.
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
@@ -321,42 +287,41 @@ indicated by the highlighted lines.
    :emphasize-lines: 3-7
    :language: html
 
-The attribute ``logged_in`` will make the element be included when
-``logged_in`` is any user id.  The link will invoke the logout view.  The above
-element will not be included if ``logged_in`` is ``None``, such as when a user
-is not authenticated.
+The :meth:`pyramid.request.Request.authenticated_userid` will be ``None`` if
+the user is not authenticated, or a userid if the user is authenticated. This
+check will make the logout link active only when the user is logged in.
 
 Reviewing our changes
 ---------------------
 
-Our ``tutorial/tutorial/__init__.py`` will look like this when we're done:
+Our ``tutorial/__init__.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/__init__.py
    :linenos:
-   :emphasize-lines: 2-3,5,10-12,14-16,21-22
+   :emphasize-lines: 2-3,5,11-13,17-19,22-23
    :language: python
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/models/mymodel.py`` will look like this when we're done:
+Our ``tutorial/models/mymodel.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/models/mymodel.py
    :linenos:
-   :emphasize-lines: 3-6,22-26
+   :emphasize-lines: 1-4,22-29
    :language: python
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/views/default.py`` will look like this when we're done:
+Our ``tutorial/views/default.py`` will look like this when we're done:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :linenos:
-   :emphasize-lines: 10-20,27-28,33-34,54-55,57-58,69-70,72-73,84-85,88-121
+   :emphasize-lines: 9-16,19,24,29-30,52-53,66-67,81-112
    :language: python
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/edit.jinja2`` template will look like this when
+Our ``tutorial/templates/edit.jinja2`` template will look like this when
 we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
@@ -366,7 +331,7 @@ we're done:
 
 Only the highlighted lines need to be added or edited.
 
-Our ``tutorial/tutorial/templates/view.jinja2`` template will look like this when
+Our ``tutorial/templates/view.jinja2`` template will look like this when
 we're done:
 
 .. literalinclude:: src/authorization/tutorial/templates/view.jinja2
-- 
cgit v1.2.3


From 9e85d2bf9489fff46ec7ea47b79bebcdc19d9a8e Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Thu, 18 Feb 2016 01:18:20 -0600
Subject: update the authorization chapter

---
 docs/tutorials/wiki2/authorization.rst | 418 ++++++++++++---------------------
 1 file changed, 146 insertions(+), 272 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 1ee5cc714..eb9269dff 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -4,342 +4,216 @@
 Adding authorization
 ====================
 
-:app:`Pyramid` provides facilities for :term:`authentication` and
-:term:`authorization`.  We'll make use of both features to provide security
-to our application.  Our application currently allows anyone with access to
-the server to view, edit, and add pages to our wiki.  We'll change that to
-allow only people who are members of a *group* named ``group:editors`` to add
-and edit wiki pages but we'll continue allowing anyone with access to the
-server to view pages.
-
-We will also add a login page and a logout link on all the pages.  The login
-page will be shown when a user is denied access to any of the views that
-require permission, instead of a default "403 Forbidden" page.
-
-We will implement the access control with the following steps:
-
-* Add users and groups (``security/default.py``, a new subpackage).
-* Add an :term:`ACL` (``models/mymodel.py`` and ``__init__.py``).
-* Add an :term:`authentication policy` and an :term:`authorization policy`
-  (``__init__.py``).
-* Add :term:`permission` declarations to the ``edit_page`` and ``add_page``
-  views (``views/default.py``).
-
-Then we will add the login and logout feature:
-
-* Add routes for /login and /logout (``__init__.py``).
-* Add ``login`` and ``logout`` views (``views/default.py``).
-* Add a login template (``login.jinja2``).
-* Make the existing views return a ``logged_in`` flag to the renderer
+In the last chapter we built :term:`authentication` into our wiki2. We also
+went one step further and used the ``request.user`` object to perform some explicit :term:`authorization` checks. This is fine for a lot of
+applications but :app:`Pyramid` provides some facilities for cleaning this
+up and decoupling the constraints from the view function itself.
+
+We will implement access control with the following steps:
+
+* Update the :term:`authentication policy` to break down the
+  :term:`userid` into a list of :term:`principals <principal>`
+  (``security.py``).
+* Define an :term:`authorization policy` for mapping users, resources and
+  permissions (``security.py``).
+* Add new :term:`resource` definitions that will be used as the
+  :term:`context` for the wiki pages (``routes.py``).
+* Add an :term:`ACL` to each resource (``routes.py``).
+* Replace the inline checks on the views with :term:`permission` declarations
   (``views/default.py``).
-* Add a "Logout" link to be shown when logged in and viewing or editing a page
-  (``view.jinja2``, ``edit.jinja2``).
 
+Add user principals
+-------------------
 
-Access control
---------------
+A :term:`principal` is a level of abstraction on top of the raw
+:term:`userid` that describes the user in terms of capabilities, roles or
+other identifiers that are easier to generalize. The permissions are then
+written against the principals without focusing on the exact user involved.
 
-Add users and groups
-~~~~~~~~~~~~~~~~~~~~
+:app:`Pyramid` defines two builtin principals used in every application:
+:attr:`pyramid.security.Everyone` and :attr:`pyramid.security.Authenticated`.
+On top of these we have already mentioned the required principals for this
+application in the original design. The user has two possible roles:
+``editor`` and ``basic``. These will be prefixed by the ``role:``
+string to avoid clasing with any other types of principals.
 
-Create a new ``tutorial/security/default.py`` subpackage with the
-following content:
+Open the file ``tutorial/security.py`` and edit the following lines:
 
-.. literalinclude:: src/authorization/tutorial/security/default.py
+.. literalinclude:: src/authorization/tutorial/security.py
    :linenos:
+   :emphasize-lines: 3-6,17-24
    :language: python
 
-The ``groupfinder`` function accepts a userid and a request and
-returns one of these values:
-
-- If the userid exists in the system, it will return a sequence of group
-  identifiers (or an empty sequence if the user isn't a member of any groups).
-- If the userid *does not* exist in the system, it will return ``None``.
-
-For example, ``groupfinder('editor', request )`` returns ``['group:editor']``,
-``groupfinder('viewer', request)`` returns ``[]``, and ``groupfinder('admin',
-request)`` returns ``None``.  We will use ``groupfinder()`` as an
-:term:`authentication policy` "callback" that will provide the
-:term:`principal` or principals for a user.
-
-In a production system, user and group data will most often come from a
-database, but here we use "dummy" data to represent user and groups sources.
+Only the highlighted lines need to be added.
 
-Add an ACL
-~~~~~~~~~~
+Note that the role comes from the ``User`` object and finally we also
+add the ``user.id`` as a principal for when we want to allow that exact
+user to edit page's they've created.
 
-Open ``tutorial/models/mymodel.py`` and add the following import
-statement at the top:
+Add the authorization policy
+----------------------------
 
-.. literalinclude:: src/authorization/tutorial/models/mymodel.py
-   :lines: 1-4
-   :language: python
+We already added the :term:`authorization policy` in the previous chapter
+because :app:`Pyramid` requires one when adding an
+:term:`authentication policy`. However, it was not used anywhere and so we'll
+mention it now.
 
-Add the following class definition at the end:
+Open the file ``tutorial/security.py`` and notice the following lines:
 
-.. literalinclude:: src/authorization/tutorial/models/mymodel.py
-   :lines: 22-29
+.. literalinclude:: src/authorization/tutorial/security.py
+   :lines: 38-40
+   :lineno-match:
+   :emphasize-lines: 2
    :language: python
 
-We import :data:`~pyramid.security.Allow`, an action that means that
-permission is allowed, and :data:`~pyramid.security.Everyone`, a special
-:term:`principal` that is associated to all requests.  Both are used in the
-:term:`ACE` entries that make up the ACL.
-
-The ACL is a list that needs to be named `__acl__` and be an attribute of a
-class.  We define an :term:`ACL` with two :term:`ACE` entries.  The first entry
-allows any user (``Everyone``) the `view` permission.  The second entry allows
-the ``group:editors`` principal the `edit` permission.
+We're using the :class:`pyramid.authorization.ACLAuthorizationPolicy` which
+will suffice for most applications. It uses the :term:`context` to define
+the mapping between a :term:`principal` and :term:`permission` for the
+current request via the ``__acl__``.
 
-The ``RootFactory`` class that contains the ACL is a :term:`root factory`. We
-need to associate it to our :app:`Pyramid` application, so the ACL is provided
-to each view in the :term:`context` of the request as the ``context``
-attribute.
+Add resources and ACLs
+----------------------
 
-Open ``tutorial/__init__.py`` and define a new root factory using
-:meth:`pyramid.config.Configurator.set_root_factory` using the class that we
-created above:
+Resources are the hidden gem of :app:`Pyramid`. You've made it!
 
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 14-17
-   :emphasize-lines: 17
-   :language: python
+Every URL in a web application is representing a :term:`resource`
+(the **R** in Uniform Resource Locator). Often the resource is something
+in your data model but it could also be an abstraction over many models.
 
-Only the highlighted line needs to be added.
+Our wiki has two resources:
 
-We are now providing the ACL to the application.  See :ref:`assigning_acls`
-for more information about what an :term:`ACL` represents.
+#. A ``PageResource``. Represents a ``Page`` that is to be viewed or edited.
+   Only ``editor`` users as well as the original creator of the ``Page``
+   may edit the ``PageResource`` but anyone may view it.
 
-.. note:: Although we don't use the functionality here, the ``factory`` used
-   to create route contexts may differ per-route as opposed to globally.  See
-   the ``factory`` argument to :meth:`pyramid.config.Configurator.add_route`
-   for more info.
+#. A ``NewPage``. Represents a potential ``Page`` that does not exist.
+   Any logged-in user (roles ``basic`` or ``editor``) can create pages.
 
-Add authentication and authorization policies
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. note::
 
-Open ``tutorial/__init__.py`` and add the highlighted import
-statements:
+   The wiki data model is simple enough that the ``PageResource`` is
+   actually mostly redundant with our ``models.Page`` SQLAlchemy class. It is
+   completely valid to combine these into one class. However, for this
+   tutorial they are explicitly separated to make it clear the
+   parts that :app:`Pyramid` cares about versus application-defined objects.
 
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 1-5
-   :emphasize-lines: 2-5
-   :language: python
+There are many ways to define these resources, and they can even be grouped
+into collections with a hierarchy. However, we're keeping it simple here!
 
-Now add those policies to the configuration:
+Open the file ``tutorial/routes.py`` and edit the following lines:
 
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 11-19
-   :emphasize-lines: 1-3,8-9
+.. literalinclude:: src/authorization/tutorial/routes.py
+   :linenos:
+   :emphasize-lines: 1-7,14-50
    :language: python
 
-Only the highlighted lines need to be added.
-
-We are enabling an ``AuthTktAuthenticationPolicy``, which is based in an auth
-ticket that may be included in the request. We are also enabling an
-``ACLAuthorizationPolicy``, which uses an ACL to determine the *allow* or
-*deny* outcome for a view.
-
-Note that the :class:`pyramid.authentication.AuthTktAuthenticationPolicy`
-constructor accepts two arguments: ``secret`` and ``callback``.  ``secret`` is
-a string representing an encryption key used by the "authentication ticket"
-machinery represented by this policy; it is required.  The ``callback`` is the
-``groupfinder()`` function that we created before.
+The highlighted lines need to be edited or added.
 
+The ``NewPage`` has an ``__acl__`` on it that returns a list of
+mappings from :term:`principal` to :term:`permission`. This defines **who**
+can do **what** with that :term:`resource`. In our case we want to only
+allow users with the principals ``role:editor`` and ``role:basic`` to
+have the ``create`` permission:
 
-Add permission declarations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Open ``tutorial/views/default.py`` and add a ``permission='view'``
-parameter to the ``@view_config`` decorator for ``view_wiki()`` and
-``view_page()`` as follows:
-
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 24-25
-   :emphasize-lines: 1
+.. literalinclude:: src/authorization/tutorial/routes.py
+   :lines: 20-32
+   :lineno-match:
+   :emphasize-lines: 11,12
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 29-31
-   :emphasize-lines: 1-2
-   :language: python
-
-Only the highlighted lines, along with their preceding commas, need to be
-edited and added.
-
-This allows anyone to invoke these two views.
+The ``NewPage`` is loaded as the :term:`context` of the ``add_page``
+route by declaring a ``factory`` on the route:
 
-Add a ``permission='edit'`` parameter to the ``@view_config`` decorators for
-``add_page()`` and ``edit_page()``:
-
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 52-54
-   :emphasize-lines: 1-2
+.. literalinclude:: src/authorization/tutorial/routes.py
+   :lines: 15-16
+   :lineno-match:
+   :emphasize-lines: 2
    :language: python
 
-.. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 66-68
-   :emphasize-lines: 1-2
-   :language: python
+The ``PageResource`` defines the :term:`ACL` for a ``Page``. It uses an
+actual ``Page`` object to determine **who** can do **what** to the page.
 
-Only the highlighted lines, along with their preceding commas, need to be
-edited and added.
-
-The result is that only users who possess the ``edit`` permission at the time
-of the request may invoke those two views.
-
-We are done with the changes needed to control access.  The changes that
-follow will add the login and logout feature.
-
-Login, logout
--------------
-
-Add routes for /login and /logout
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Go back to ``tutorial/__init__.py`` and add these two routes as
-highlighted:
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :lines: 21-24
-   :emphasize-lines: 2-3
+.. literalinclude:: src/authorization/tutorial/routes.py
+   :lines: 34-50
+   :lineno-match:
+   :emphasize-lines: 14-16
    :language: python
 
-.. note:: The preceding lines must be added *before* the following
-   ``view_page`` route definition:
-
-   .. literalinclude:: src/authorization/tutorial/__init__.py
-      :lines: 24
-      :language: python
+The ``PageResource`` is loaded as the :term:`context` of the ``view_page``
+and ``edit_page`` route by declaring a ``factory`` on the routes:
 
-   This is because ``view_page``'s route definition uses a catch-all
-   "replacement marker" ``/{pagename}`` (see :ref:`route_pattern_syntax`)
-   which will catch any route that was not already caught by any route listed
-   above it in ``__init__.py``. Hence, for ``login`` and ``logout`` views to
-   have the opportunity of being matched (or "caught"), they must be above
-   ``/{pagename}``.
+.. literalinclude:: src/authorization/tutorial/routes.py
+   :lines: 14-18
+   :lineno-match:
+   :emphasize-lines: 1,4-5
+   :language: python
 
-Add login and logout views
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+Add view permissions
+--------------------
 
-We'll add a ``login`` view which renders a login form and processes the post
-from the login form, checking credentials.
+At this point we've modified our application to load the ``PageResource``,
+including the actual ``Page`` model in the ``page_factory``. The
+``PageResource`` is now the :term:`context` for all ``view_page`` and
+``edit_page`` views. Similarly the ``NewPage`` will be the context for
+the ``add_page`` view.
 
-We'll also add a ``logout`` view callable to our application and provide a
-link to it.  This view will clear the credentials of the logged in user and
-redirect back to the front page.
+Open the file ``views/default.py``.
 
-Add the following import statements to ``tutorial/views/default.py``
-after the import from ``pyramid.httpexceptions``:
+First, you can drop a few imports that are no longer necessary:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 9-19
-   :emphasize-lines: 1-8,11
+   :lines: 5-7
+   :lineno-match:
+   :emphasize-lines: 1
    :language: python
 
-All the highlighted lines need to be added or edited.
-
-:meth:`~pyramid.view.forbidden_view_config` will be used to customize the
-default 403 Forbidden page. :meth:`~pyramid.security.remember` and
-:meth:`~pyramid.security.forget` help to create and expire an auth ticket
-cookie.
-
-Now add the ``login`` and ``logout`` views at the end of the file:
+Edit the ``view_page`` view to declare the ``view`` permission and remove
+the explicit checks within the view:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :lines: 81-112
-   :language: python
-
-``login()`` has two decorators:
-
-- a ``@view_config`` decorator which associates it with the ``login`` route
-  and makes it visible when we visit ``/login``, and
-- a ``@forbidden_view_config`` decorator which turns it into a
-  :term:`forbidden view`. ``login()`` will be invoked when a user tries to
-  execute a view callable for which they lack authorization.  For example, if
-  a user has not logged in and tries to add or edit a wiki page, they will be
-  shown the login form before being allowed to continue.
-
-The order of these two :term:`view configuration` decorators is unimportant.
-
-``logout()`` is decorated with a ``@view_config`` decorator which associates
-it with the ``logout`` route.  It will be invoked when we visit ``/logout``.
-
-Add the ``login.jinja2`` template
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Create ``tutorial/templates/login.jinja2`` with the following content:
-
-.. literalinclude:: src/authorization/tutorial/templates/login.jinja2
-   :language: html
-
-The above template is referenced in the login view that we just added in
-``views/default.py``.
-
-Add a "Logout" link when logged in
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Open ``tutorial/templates/edit.jinja2`` and
-``tutorial/templates/view.jinja2`` and add the following code as
-indicated by the highlighted lines.
-
-.. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
-   :lines: 34-40
-   :emphasize-lines: 3-7
-   :language: html
-
-The :meth:`pyramid.request.Request.authenticated_userid` will be ``None`` if
-the user is not authenticated, or a userid if the user is authenticated. This
-check will make the logout link active only when the user is logged in.
-
-Reviewing our changes
----------------------
-
-Our ``tutorial/__init__.py`` will look like this when we're done:
-
-.. literalinclude:: src/authorization/tutorial/__init__.py
-   :linenos:
-   :emphasize-lines: 2-3,5,11-13,17-19,22-23
+   :lines: 18-23
+   :lineno-match:
+   :emphasize-lines: 2,4
    :language: python
 
-Only the highlighted lines need to be added or edited.
+The work of loading the page has already been done in the factory so we
+can just pull the ``page`` object out of the ``PageResource`` loaded as
+``request.context``. Our factory also guarantees we will have a ``Page`` as it
+raises ``HTTPNotFound`` otherwise - again simplifying the view logic.
 
-Our ``tutorial/models/mymodel.py`` will look like this when we're done:
+Edit the ``edit_page`` view to declare the ``edit`` permission:
 
-.. literalinclude:: src/authorization/tutorial/models/mymodel.py
-   :linenos:
-   :emphasize-lines: 1-4,22-29
+.. literalinclude:: src/authorization/tutorial/views/default.py
+   :lines: 38-42
+   :lineno-match:
+   :emphasize-lines: 2,4
    :language: python
 
-Only the highlighted lines need to be added or edited.
-
-Our ``tutorial/views/default.py`` will look like this when we're done:
+Edit the ``add_page`` view to declare the ``create`` permission:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
-   :linenos:
-   :emphasize-lines: 9-16,19,24,29-30,52-53,66-67,81-112
+   :lines: 52-56
+   :lineno-match:
+   :emphasize-lines: 2,4
    :language: python
 
-Only the highlighted lines need to be added or edited.
-
-Our ``tutorial/templates/edit.jinja2`` template will look like this when
-we're done:
-
-.. literalinclude:: src/authorization/tutorial/templates/edit.jinja2
-   :linenos:
-   :emphasize-lines: 36-40
-   :language: html
+Note the ``pagename`` here is pulled off of the context instead of
+``request.matchdict``. The factory has done a lot of work for us to hide the
+actual route pattern.
 
-Only the highlighted lines need to be added or edited.
+The ACLs defined on each :term:`resource` are used by the
+:term:`authorization policy` to determine if any
+:term:`principal` is allowed to have some :term:`permission`. If this check
+fails (for example, the user is not logged in) then a ``HTTPForbidden``
+exception will be raised automatically, thus we're able to drop those
+exceptions and checks from the views themselves. Rather we've defined them in
+terms of operations on a resource.
 
-Our ``tutorial/templates/view.jinja2`` template will look like this when
-we're done:
+The final ``tutorial/views/default.py`` should look like the following:
 
-.. literalinclude:: src/authorization/tutorial/templates/view.jinja2
+.. literalinclude:: src/authorization/tutorial/views/default.py
    :linenos:
-   :emphasize-lines: 36-40
-   :language: html
-
-Only the highlighted lines need to be added or edited.
+   :language: python
 
 Viewing the application in a browser
 ------------------------------------
-- 
cgit v1.2.3


From f99052e0790b8706161e432da0172b45a805d308 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Sun, 28 Feb 2016 01:18:23 -0800
Subject: wiki2 authorization (done) - minor grammar and syntax - align order
 of bullet points for NewPage and PageResource with code - synch up "viewing
 app in browser" sections between authentication and authzn

---
 docs/tutorials/wiki2/authorization.rst | 169 ++++++++++++++++++---------------
 1 file changed, 91 insertions(+), 78 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index eb9269dff..a2865d8cd 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -5,39 +5,40 @@ Adding authorization
 ====================
 
 In the last chapter we built :term:`authentication` into our wiki2. We also
-went one step further and used the ``request.user`` object to perform some explicit :term:`authorization` checks. This is fine for a lot of
-applications but :app:`Pyramid` provides some facilities for cleaning this
-up and decoupling the constraints from the view function itself.
+went one step further and used the ``request.user`` object to perform some
+explicit :term:`authorization` checks. This is fine for a lot of applications,
+but :app:`Pyramid` provides some facilities for cleaning this up and decoupling
+the constraints from the view function itself.
 
 We will implement access control with the following steps:
 
-* Update the :term:`authentication policy` to break down the
-  :term:`userid` into a list of :term:`principals <principal>`
-  (``security.py``).
+* Update the :term:`authentication policy` to break down the :term:`userid`
+  into a list of :term:`principals <principal>` (``security.py``).
 * Define an :term:`authorization policy` for mapping users, resources and
   permissions (``security.py``).
-* Add new :term:`resource` definitions that will be used as the
-  :term:`context` for the wiki pages (``routes.py``).
+* Add new :term:`resource` definitions that will be used as the :term:`context`
+  for the wiki pages (``routes.py``).
 * Add an :term:`ACL` to each resource (``routes.py``).
 * Replace the inline checks on the views with :term:`permission` declarations
   (``views/default.py``).
 
+
 Add user principals
 -------------------
 
-A :term:`principal` is a level of abstraction on top of the raw
-:term:`userid` that describes the user in terms of capabilities, roles or
-other identifiers that are easier to generalize. The permissions are then
-written against the principals without focusing on the exact user involved.
+A :term:`principal` is a level of abstraction on top of the raw :term:`userid`
+that describes the user in terms of its capabilities, roles, or other
+identifiers that are easier to generalize. The permissions are then written
+against the principals without focusing on the exact user involved.
 
 :app:`Pyramid` defines two builtin principals used in every application:
 :attr:`pyramid.security.Everyone` and :attr:`pyramid.security.Authenticated`.
 On top of these we have already mentioned the required principals for this
-application in the original design. The user has two possible roles:
-``editor`` and ``basic``. These will be prefixed by the ``role:``
-string to avoid clasing with any other types of principals.
+application in the original design. The user has two possible roles: ``editor``
+or ``basic``. These will be prefixed by the string ``role:`` to avoid clashing
+with any other types of principals.
 
-Open the file ``tutorial/security.py`` and edit the following lines:
+Open the file ``tutorial/security.py`` and edit it as follows:
 
 .. literalinclude:: src/authorization/tutorial/security.py
    :linenos:
@@ -46,19 +47,20 @@ Open the file ``tutorial/security.py`` and edit the following lines:
 
 Only the highlighted lines need to be added.
 
-Note that the role comes from the ``User`` object and finally we also
-add the ``user.id`` as a principal for when we want to allow that exact
-user to edit page's they've created.
+Note that the role comes from the ``User`` object. We also add the ``user.id``
+as a principal for when we want to allow that exact user to edit pages which
+they have created.
+
 
 Add the authorization policy
 ----------------------------
 
 We already added the :term:`authorization policy` in the previous chapter
 because :app:`Pyramid` requires one when adding an
-:term:`authentication policy`. However, it was not used anywhere and so we'll
+:term:`authentication policy`. However, it was not used anywhere, so we'll
 mention it now.
 
-Open the file ``tutorial/security.py`` and notice the following lines:
+In the file ``tutorial/security.py``, notice the following lines:
 
 .. literalinclude:: src/authorization/tutorial/security.py
    :lines: 38-40
@@ -66,36 +68,38 @@ Open the file ``tutorial/security.py`` and notice the following lines:
    :emphasize-lines: 2
    :language: python
 
-We're using the :class:`pyramid.authorization.ACLAuthorizationPolicy` which
-will suffice for most applications. It uses the :term:`context` to define
-the mapping between a :term:`principal` and :term:`permission` for the
-current request via the ``__acl__``.
+We're using the :class:`pyramid.authorization.ACLAuthorizationPolicy`, which
+will suffice for most applications. It uses the :term:`context` to define the
+mapping between a :term:`principal` and :term:`permission` for the current
+request via the ``__acl__``.
+
 
 Add resources and ACLs
 ----------------------
 
 Resources are the hidden gem of :app:`Pyramid`. You've made it!
 
-Every URL in a web application is representing a :term:`resource`
-(the **R** in Uniform Resource Locator). Often the resource is something
-in your data model but it could also be an abstraction over many models.
+Every URL in a web application represents a :term:`resource` (the "R" in
+Uniform Resource Locator). Often the resource is something in your data model,
+but it could also be an abstraction over many models.
 
 Our wiki has two resources:
 
-#. A ``PageResource``. Represents a ``Page`` that is to be viewed or edited.
-   Only ``editor`` users as well as the original creator of the ``Page``
-   may edit the ``PageResource`` but anyone may view it.
+#. A ``NewPage``. Represents a potential ``Page`` that does not exist. Any
+   logged-in user, having either role of ``basic`` or ``editor``, can create
+   pages.
 
-#. A ``NewPage``. Represents a potential ``Page`` that does not exist.
-   Any logged-in user (roles ``basic`` or ``editor``) can create pages.
+#. A ``PageResource``. Represents a ``Page`` that is to be viewed or edited.
+   ``editor`` users, as well as the original creator of the ``Page``, may edit
+   the ``PageResource``. Anyone may view it.
 
 .. note::
 
-   The wiki data model is simple enough that the ``PageResource`` is
-   actually mostly redundant with our ``models.Page`` SQLAlchemy class. It is
-   completely valid to combine these into one class. However, for this
-   tutorial they are explicitly separated to make it clear the
-   parts that :app:`Pyramid` cares about versus application-defined objects.
+   The wiki data model is simple enough that the ``PageResource`` is mostly
+   redundant with our ``models.Page`` SQLAlchemy class. It is completely valid
+   to combine these into one class. However, for this tutorial, they are
+   explicitly separated to make clear the distinction between the parts about
+   which :app:`Pyramid` cares versus application-defined objects.
 
 There are many ways to define these resources, and they can even be grouped
 into collections with a hierarchy. However, we're keeping it simple here!
@@ -109,11 +113,11 @@ Open the file ``tutorial/routes.py`` and edit the following lines:
 
 The highlighted lines need to be edited or added.
 
-The ``NewPage`` has an ``__acl__`` on it that returns a list of
-mappings from :term:`principal` to :term:`permission`. This defines **who**
-can do **what** with that :term:`resource`. In our case we want to only
-allow users with the principals ``role:editor`` and ``role:basic`` to
-have the ``create`` permission:
+The ``NewPage`` class has an ``__acl__`` on it that returns a list of mappings
+from :term:`principal` to :term:`permission`. This defines *who* can do *what*
+with that :term:`resource`. In our case we want to allow only those users with
+the principals of either ``role:editor`` or ``role:basic`` to have the
+``create`` permission:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
    :lines: 20-32
@@ -121,8 +125,8 @@ have the ``create`` permission:
    :emphasize-lines: 11,12
    :language: python
 
-The ``NewPage`` is loaded as the :term:`context` of the ``add_page``
-route by declaring a ``factory`` on the route:
+The ``NewPage`` is loaded as the :term:`context` of the ``add_page`` route by
+declaring a ``factory`` on the route:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
    :lines: 15-16
@@ -130,8 +134,8 @@ route by declaring a ``factory`` on the route:
    :emphasize-lines: 2
    :language: python
 
-The ``PageResource`` defines the :term:`ACL` for a ``Page``. It uses an
-actual ``Page`` object to determine **who** can do **what** to the page.
+The ``PageResource`` class defines the :term:`ACL` for a ``Page``. It uses an
+actual ``Page`` object to determine *who* can do *what* to the page.
 
 .. literalinclude:: src/authorization/tutorial/routes.py
    :lines: 34-50
@@ -139,8 +143,8 @@ actual ``Page`` object to determine **who** can do **what** to the page.
    :emphasize-lines: 14-16
    :language: python
 
-The ``PageResource`` is loaded as the :term:`context` of the ``view_page``
-and ``edit_page`` route by declaring a ``factory`` on the routes:
+The ``PageResource`` is loaded as the :term:`context` of the ``view_page`` and
+``edit_page`` routes by declaring a ``factory`` on the routes:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
    :lines: 14-18
@@ -148,14 +152,15 @@ and ``edit_page`` route by declaring a ``factory`` on the routes:
    :emphasize-lines: 1,4-5
    :language: python
 
+
 Add view permissions
 --------------------
 
 At this point we've modified our application to load the ``PageResource``,
 including the actual ``Page`` model in the ``page_factory``. The
 ``PageResource`` is now the :term:`context` for all ``view_page`` and
-``edit_page`` views. Similarly the ``NewPage`` will be the context for
-the ``add_page`` view.
+``edit_page`` views. Similarly the ``NewPage`` will be the context for the
+``add_page`` view.
 
 Open the file ``views/default.py``.
 
@@ -167,26 +172,27 @@ First, you can drop a few imports that are no longer necessary:
    :emphasize-lines: 1
    :language: python
 
-Edit the ``view_page`` view to declare the ``view`` permission and remove
-the explicit checks within the view:
+Edit the ``view_page`` view to declare the ``view`` permission, and remove the
+explicit checks within the view:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :lines: 18-23
    :lineno-match:
-   :emphasize-lines: 2,4
+   :emphasize-lines: 1-2,4
    :language: python
 
-The work of loading the page has already been done in the factory so we
-can just pull the ``page`` object out of the ``PageResource`` loaded as
-``request.context``. Our factory also guarantees we will have a ``Page`` as it
-raises ``HTTPNotFound`` otherwise - again simplifying the view logic.
+The work of loading the page has already been done in the factory, so we can
+just pull the ``page`` object out of the ``PageResource``, loaded as
+``request.context``. Our factory also guarantees we will have a ``Page``, as it
+raises the ``HTTPNotFound`` exception if no ``Page`` exists, again simplifying
+the view logic.
 
 Edit the ``edit_page`` view to declare the ``edit`` permission:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :lines: 38-42
    :lineno-match:
-   :emphasize-lines: 2,4
+   :emphasize-lines: 1-2,4
    :language: python
 
 Edit the ``add_page`` view to declare the ``create`` permission:
@@ -194,22 +200,21 @@ Edit the ``add_page`` view to declare the ``create`` permission:
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :lines: 52-56
    :lineno-match:
-   :emphasize-lines: 2,4
+   :emphasize-lines: 1-2,4
    :language: python
 
 Note the ``pagename`` here is pulled off of the context instead of
 ``request.matchdict``. The factory has done a lot of work for us to hide the
 actual route pattern.
 
-The ACLs defined on each :term:`resource` are used by the
-:term:`authorization policy` to determine if any
-:term:`principal` is allowed to have some :term:`permission`. If this check
-fails (for example, the user is not logged in) then a ``HTTPForbidden``
-exception will be raised automatically, thus we're able to drop those
-exceptions and checks from the views themselves. Rather we've defined them in
-terms of operations on a resource.
+The ACLs defined on each :term:`resource` are used by the :term:`authorization
+policy` to determine if any :term:`principal` is allowed to have some
+:term:`permission`. If this check fails (for example, the user is not logged
+in) then an ``HTTPForbidden`` exception will be raised automatically. Thus
+we're able to drop those exceptions and checks from the views themselves.
+Rather we've defined them in terms of operations on a resource.
 
-The final ``tutorial/views/default.py`` should look like the following:
+The final ``views/default.py`` should look like the following:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :linenos:
@@ -227,21 +232,29 @@ following URLs, checking that the result is as expected:
   is executable by any user.
 
 - http://localhost:6543/FrontPage invokes the ``view_page`` view of the
-  ``FrontPage`` page object.
+  ``FrontPage`` page object. There is a "Login" link in the upper right corner
+  while the user is not authenticated, else it is a "Logout" link when the user
+  is authenticated.
 
 - http://localhost:6543/FrontPage/edit_page invokes the edit view for the
-  FrontPage object.  It is executable by only the ``editor`` user.  If a
-  different user (or the anonymous user) invokes it, a login form will be
-  displayed.  Supplying the credentials with the username ``editor``, password
-  ``editor`` will display the edit page form.
+  ``FrontPage`` object.  It is executable by only the ``editor`` user. If a
+  different user (or the anonymous user) invokes it, then a login form will be
+  displayed. Supplying the credentials with the username ``editor`` and
+  password ``editor`` will display the edit page form.
 
 - http://localhost:6543/add_page/SomePageName invokes the add view for a page.
-  It is executable by only the ``editor`` user.  If a different user (or the
-  anonymous user) invokes it, a login form will be displayed. Supplying the
-  credentials with the username ``editor``, password ``editor`` will display
-  the edit page form.
+  It is executable by either the ``editor`` or ``basic`` user.  If a different
+  user (or the anonymous user) invokes it, then a login form will be displayed.
+  Supplying the credentials with either the username ``editor`` and password
+  ``editor``, or username ``basic`` and password ``basic``, will display the
+  edit page form.
+
+- http://localhost:6543/SomePageName/edit_page is editable by the ``basic``
+  user if the page was created by that user in the previous step. If, instead,
+  the page was created by the ``editor`` user, then the login page should be
+  shown for the ``basic`` user.
 
 - After logging in (as a result of hitting an edit or add page and submitting
-  the login form with the ``editor`` credentials), we'll see a Logout link in
+  the login form with the ``editor`` credentials), we'll see a "Logout" link in
   the upper right hand corner.  When we click it, we're logged out, and
   redirected back to the front page.
-- 
cgit v1.2.3


From 44c087008f39dba616ea62eb413f2fa96a5b6fb3 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sun, 28 Feb 2016 13:04:30 -0600
Subject: fix some nits

---
 docs/tutorials/wiki2/authorization.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index a2865d8cd..1be961f61 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -162,7 +162,7 @@ including the actual ``Page`` model in the ``page_factory``. The
 ``edit_page`` views. Similarly the ``NewPage`` will be the context for the
 ``add_page`` view.
 
-Open the file ``views/default.py``.
+Open the file ``tutorial/views/default.py``.
 
 First, you can drop a few imports that are no longer necessary:
 
@@ -214,7 +214,7 @@ in) then an ``HTTPForbidden`` exception will be raised automatically. Thus
 we're able to drop those exceptions and checks from the views themselves.
 Rather we've defined them in terms of operations on a resource.
 
-The final ``views/default.py`` should look like the following:
+The final ``tutorial/views/default.py`` should look like the following:
 
 .. literalinclude:: src/authorization/tutorial/views/default.py
    :linenos:
-- 
cgit v1.2.3


From 3e30040da7c2d5c38b330727b48d9f6b852956d9 Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Sun, 28 Feb 2016 22:30:22 -0800
Subject: redirect to edit page when user attempts to add page that already
 exists - update src/*/views/default.py - update src/*/routes.py - write new
 test - revise docs, double-checking line counts and highlighting

---
 docs/tutorials/wiki2/authorization.rst | 51 ++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 24 deletions(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index a2865d8cd..3dec21a23 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -108,7 +108,7 @@ Open the file ``tutorial/routes.py`` and edit the following lines:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
    :linenos:
-   :emphasize-lines: 1-7,14-50
+   :emphasize-lines: 1-11,17-
    :language: python
 
 The highlighted lines need to be edited or added.
@@ -120,34 +120,34 @@ the principals of either ``role:editor`` or ``role:basic`` to have the
 ``create`` permission:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
-   :lines: 20-32
+   :lines: 30-38
    :lineno-match:
-   :emphasize-lines: 11,12
+   :emphasize-lines: 5-9
    :language: python
 
 The ``NewPage`` is loaded as the :term:`context` of the ``add_page`` route by
 declaring a ``factory`` on the route:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
-   :lines: 15-16
+   :lines: 18-19
    :lineno-match:
-   :emphasize-lines: 2
+   :emphasize-lines: 1-2
    :language: python
 
 The ``PageResource`` class defines the :term:`ACL` for a ``Page``. It uses an
 actual ``Page`` object to determine *who* can do *what* to the page.
 
 .. literalinclude:: src/authorization/tutorial/routes.py
-   :lines: 34-50
+   :lines: 47-
    :lineno-match:
-   :emphasize-lines: 14-16
+   :emphasize-lines: 5-10
    :language: python
 
 The ``PageResource`` is loaded as the :term:`context` of the ``view_page`` and
 ``edit_page`` routes by declaring a ``factory`` on the routes:
 
 .. literalinclude:: src/authorization/tutorial/routes.py
-   :lines: 14-18
+   :lines: 17-21
    :lineno-match:
    :emphasize-lines: 1,4-5
    :language: python
@@ -236,25 +236,28 @@ following URLs, checking that the result is as expected:
   while the user is not authenticated, else it is a "Logout" link when the user
   is authenticated.
 
-- http://localhost:6543/FrontPage/edit_page invokes the edit view for the
-  ``FrontPage`` object.  It is executable by only the ``editor`` user. If a
-  different user (or the anonymous user) invokes it, then a login form will be
-  displayed. Supplying the credentials with the username ``editor`` and
+- http://localhost:6543/FrontPage/edit_page invokes the ``edit_page`` view for
+  the ``FrontPage`` page object.  It is executable by only the ``editor`` user.
+  If a different user (or the anonymous user) invokes it, then a login form
+  will be displayed. Supplying the credentials with the username ``editor`` and
   password ``editor`` will display the edit page form.
 
-- http://localhost:6543/add_page/SomePageName invokes the add view for a page.
-  It is executable by either the ``editor`` or ``basic`` user.  If a different
-  user (or the anonymous user) invokes it, then a login form will be displayed.
-  Supplying the credentials with either the username ``editor`` and password
-  ``editor``, or username ``basic`` and password ``basic``, will display the
-  edit page form.
+- http://localhost:6543/add_page/SomePageName invokes the ``add_page`` view for
+  a page. If the page already exists, then it redirects the user to the
+  ``edit_page`` view for the page object. It is executable by either the
+  ``editor`` or ``basic`` user.  If a different user (or the anonymous user)
+  invokes it, then a login form will be displayed. Supplying the credentials
+  with either the username ``editor`` and password ``editor``, or username
+  ``basic`` and password ``basic``, will display the edit page form.
 
-- http://localhost:6543/SomePageName/edit_page is editable by the ``basic``
-  user if the page was created by that user in the previous step. If, instead,
-  the page was created by the ``editor`` user, then the login page should be
-  shown for the ``basic`` user.
+- http://localhost:6543/SomePageName/edit_page invokes the ``edit_page`` view
+  for an existing page, or generates an error if the page does not exist. It is
+  editable by the ``basic`` user if the page was created by that user in the
+  previous step. If, instead, the page was created by the ``editor`` user, then
+  the login page should be shown for the ``basic`` user.
 
 - After logging in (as a result of hitting an edit or add page and submitting
   the login form with the ``editor`` credentials), we'll see a "Logout" link in
-  the upper right hand corner.  When we click it, we're logged out, and
-  redirected back to the front page.
+  the upper right hand corner.  When we click it, we're logged out, redirected
+  back to the front page, and a "Login" link is shown in the upper right hand
+  corner.
-- 
cgit v1.2.3


From 50642ec0d3705db51564d1511695da53f63ff82b Mon Sep 17 00:00:00 2001
From: Steve Piercy <web@stevepiercy.com>
Date: Sat, 9 Apr 2016 14:05:23 -0700
Subject: - update wiki2/authorization step

---
 docs/tutorials/wiki2/authorization.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/tutorials/wiki2/authorization.rst')

diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst
index 962e2859c..234f40e3b 100644
--- a/docs/tutorials/wiki2/authorization.rst
+++ b/docs/tutorials/wiki2/authorization.rst
@@ -4,7 +4,7 @@
 Adding authorization
 ====================
 
-In the last chapter we built :term:`authentication` into our wiki2. We also
+In the last chapter we built :term:`authentication` into our wiki. We also
 went one step further and used the ``request.user`` object to perform some
 explicit :term:`authorization` checks. This is fine for a lot of applications,
 but :app:`Pyramid` provides some facilities for cleaning this up and decoupling
-- 
cgit v1.2.3