From 389ac52e76f64da5bdf87acd19aa1b2fb5cf664b Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@agendaless.com>
Date: Sun, 2 Nov 2008 22:14:58 +0000
Subject:   - Fix bug where default deny in authorization check would throw a  
   TypeError (use ``ACLDenied`` instead of ``Denied``).

---
 repoze/bfg/security.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'repoze/bfg/security.py')

diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py
index 21b7f98d3..860f4a0fd 100644
--- a/repoze/bfg/security.py
+++ b/repoze/bfg/security.py
@@ -24,7 +24,7 @@ def has_permission(permission, context, request):
     application."""
     policy = queryUtility(ISecurityPolicy)
     if policy is None:
-        return True
+        return Allowed('No security policy in use.')
     return policy.permits(context, request, permission)
 
 def authenticated_userid(request):
@@ -85,7 +85,8 @@ class ACLAuthorizer(object):
                         else:
                             return ACLDenied(ace, acl, permission, principals,
                                              self.context)
-        # default deny
+
+        # default deny if no ACE matches in the ACL found
         result = ACLDenied(None, acl, permission, principals, self.context)
         return result
 
@@ -104,11 +105,11 @@ class ACLSecurityPolicy(object):
             authorizer = self.authorizer_factory(location)
             try:
                 return authorizer.permits(permission, *principals)
-
             except NoAuthorizationInformation:
                 continue
 
-        return Denied(None, None, permission, principals, self.context)
+        # default deny if no ACL in lineage at all
+        return ACLDenied(None, None, permission, principals, context)
 
     def authenticated_userid(self, request):
         principals = self.get_principals(request)
-- 
cgit v1.2.3