An authorization policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. If the context is part of a lineage, the context’s parents are consulted for ACL information too. The following is true about this security policy.
When checking whether the ‘current’ user is permitted (via the
permitsmethod), the security policy consults the
contextfor an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context’s parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies.
During this processing, if any
pyramid.security.DenyACE is found matching any principal in
principals, stop processing by returning an
False) immediately. If any
pyramid.security.AllowACE is found matching any principal, stop processing by returning an
True) immediately. If we exhaust the context’s lineage, and no ACE has explicitly permitted or denied access, return an instance of
When computing principals allowed by a permission via the
pyramid.security.principals_allowed_by_permission()method, we compute the set of principals that are explicitly granted the
permissionin the provided
context. We do this by walking ‘up’ the object graph from the root to the context. During this walking process, if we find an explicit
pyramid.security.AllowACE for a principal that matches the
permission, the principal is included in the allow list. However, if later in the walking process that principal is mentioned in any
pyramid.security.DenyACE for the permission, the principal is removed from the allow list. If a
pyramid.security.Denyto the principal
pyramid.security.Everyoneis encountered during the walking process that matches the
permission, the allow list is cleared for all principals encountered in previous ACLs. The walking process ends after we’ve processed the any ACL directly attached to
context; a set of principals is returned.