pyramid.authorization
¶
A helper for use with constructing a security policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. If the context is part of a lineage, the context's parents are consulted for ACL information too.
Return an instance of
pyramid.authorization.ACLAllowed
if the ACL allows access a user with the given principals, return an instance ofpyramid.authorization.ACLDenied
if not.When checking if principals are allowed, the security policy consults the
context
for an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context's parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies.During this processing, if any
pyramid.authorization.Deny
ACE is found matching any principal inprincipals
, stop processing by returning anpyramid.authorization.ACLDenied
instance (equalsFalse
) immediately. If anypyramid.authorization.Allow
ACE is found matching any principal, stop processing by returning anpyramid.authorization.ACLAllowed
instance (equalsTrue
) immediately. If we exhaust the context's lineage, and no ACE has explicitly permitted or denied access, return an instance ofpyramid.authorization.ACLDenied
(equalsFalse
).
Return the set of principals explicitly granted the permission named
permission
according to the ACL directly attached to thecontext
as well as inherited ACLs based on the lineage.When computing principals allowed by a permission, we compute the set of principals that are explicitly granted the
permission
in the providedcontext
. We do this by walking 'up' the object graph from the root to the context. During this walking process, if we find an explicitpyramid.authorization.Allow
ACE for a principal that matches thepermission
, the principal is included in the allow list. However, if later in the walking process that principal is mentioned in anypyramid.authorization.Deny
ACE for the permission, the principal is removed from the allow list. If apyramid.authorization.Deny
to the principalpyramid.authorization.Everyone
is encountered during the walking process that matches thepermission
, the allow list is cleared for all principals encountered in previous ACLs. The walking process ends after we've processed the any ACL directly attached tocontext
; a set of principals is returned.
An authorization policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. This class is a wrapper around
ACLHelper
, refer to that class for more detailed documentation.Objects of this class implement the
pyramid.interfaces.IAuthorizationPolicy
interface.Deprecated since version 2.0: Authorization policies have been deprecated by the new security system. See Upgrading Authentication/Authorization for more information.
Constants¶
The special principal id named
Everyone
. This principal id is granted to all requests. Its actual value is the string'system.Everyone'
.New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
The special principal id named
Authenticated
. This principal id is granted to all requests which contain any other non-Everyone principal id (according to the authentication policy). Its actual value is the string'system.Authenticated'
.New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
An object that can be used as the
permission
member of an ACE which matches all permissions unconditionally. For example, an ACE that usesALL_PERMISSIONS
might be composed like so:('Deny', 'system.Everyone', ALL_PERMISSIONS)
.New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
A convenience shorthand ACE that defines
('Deny', 'system.Everyone', ALL_PERMISSIONS)
. This is often used as the last ACE in an ACL in systems that use an "inheriting" security policy, representing the concept "don't inherit any other ACEs".New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
Return Values¶
Create a new instance.
- Parameters
ace -- The ACE that matched, triggering the result.
acl -- The ACL containing
ace
.permission -- The required permission.
principals -- The list of principals provided.
New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
A string indicating why the result was generated.
Create a new instance.
- Parameters
ace -- The ACE that matched, triggering the result.
acl -- The ACL containing
ace
.permission -- The required permission.
principals -- The list of principals provided.
New in version 2.0: Moved from
pyramid.security
intopyramid.authorization
.
A string indicating why the result was generated.