1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
.. _security_module:
:mod:`pyramid.security`
==========================
.. automodule:: pyramid.security
Authentication API Functions
----------------------------
.. autofunction:: authenticated_userid
.. autofunction:: unauthenticated_userid
.. autofunction:: effective_principals
.. autofunction:: forget
.. autofunction:: remember(request, userid, **kwargs)
Authorization API Functions
---------------------------
.. autofunction:: has_permission
.. autofunction:: principals_allowed_by_permission
.. autofunction:: view_execution_permitted
Constants
---------
.. attribute:: Everyone
The special principal id named 'Everyone'. This principal id is
granted to all requests. Its actual value is the string
'system.Everyone'.
.. attribute:: Authenticated
The special principal id named 'Authenticated'. This principal id
is granted to all requests which contain any other non-Everyone
principal id (according to the :term:`authentication policy`).
Its actual value is the string 'system.Authenticated'.
.. attribute:: ALL_PERMISSIONS
An object that can be used as the ``permission`` member of an ACE
which matches all permissions unconditionally. For example, an
ACE that uses ``ALL_PERMISSIONS`` might be composed like so:
``('Deny', 'system.Everyone', ALL_PERMISSIONS)``.
.. attribute:: DENY_ALL
A convenience shorthand ACE that defines ``('Deny',
'system.Everyone', ALL_PERMISSIONS)``. This is often used as the
last ACE in an ACL in systems that use an "inheriting" security
policy, representing the concept "don't inherit any other ACEs".
.. attribute:: NO_PERMISSION_REQUIRED
A special permission which indicates that the view should always
be executable by entirely anonymous users, regardless of the
default permission, bypassing any :term:`authorization policy`
that may be in effect. Its actual value is the string
'__no_permission_required__'.
Return Values
-------------
.. attribute:: Allow
The ACE "action" (the first element in an ACE e.g. ``(Allow, Everyone,
'read')`` that means allow access. A sequence of ACEs makes up an
ACL. It is a string, and its actual value is "Allow".
.. attribute:: Deny
The ACE "action" (the first element in an ACE e.g. ``(Deny,
'george', 'read')`` that means deny access. A sequence of ACEs
makes up an ACL. It is a string, and its actual value is "Deny".
.. autoclass:: ACLDenied
:members:
.. autoclass:: ACLAllowed
:members:
.. autoclass:: Denied
:members:
.. autoclass:: Allowed
:members:
|
