From 2d931400b22f4c5764df68c2799be512e60a2de1 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Mon, 18 Mar 2013 21:00:50 -0700
Subject: support acl as a callable

---
 docs/narr/security.rst | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'docs')

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index 5b79edd19..36c888559 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -270,6 +270,27 @@ resource instances with an ACL (as opposed to just decorating their class) in
 applications such as "CMS" systems where fine-grained access is required on
 an object-by-object basis.
 
+Dynamic ACLs are also possible by turning the ACL into a callable on the
+resource. This may allow the ACL to dynamically generate rules based on
+properties of the instance.
+
+.. code-block:: python
+   :linenos:
+
+   from pyramid.security import Allow
+   from pyramid.security import Everyone
+
+   class Blog(object):
+       def __acl__(self):
+           return [
+               (Allow, Everyone, 'view'),
+               (Allow, self.owner, 'edit'),
+               (Allow, 'group:editors', 'edit'),
+           ]
+
+       def __init__(self, owner):
+           self.owner = owner
+
 .. index::
    single: ACE
    single: access control entry
-- 
cgit v1.2.3