class ACLAuthorizationPolicy[source]

An authorization policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. If the context is part of a lineage, the context’s parents are consulted for ACL information too. The following is true about this security policy.

  • When checking whether the ‘current’ user is permitted (via the permits method), the security policy consults the context for an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context’s parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies.

    During this processing, if any ACE is found matching any principal in principals, stop processing by returning an instance (equals False) immediately. If any ACE is found matching any principal, stop processing by returning an instance (equals True) immediately. If we exhaust the context’s lineage, and no ACE has explicitly permitted or denied access, return an instance of (equals False).

  • When computing principals allowed by a permission via the method, we compute the set of principals that are explicitly granted the permission in the provided context. We do this by walking ‘up’ the object graph from the root to the context. During this walking process, if we find an explicit ACE for a principal that matches the permission, the principal is included in the allow list. However, if later in the walking process that principal is mentioned in any ACE for the permission, the principal is removed from the allow list. If a to the principal is encountered during the walking process that matches the permission, the allow list is cleared for all principals encountered in previous ACLs. The walking process ends after we’ve processed the any ACL directly attached to context; a set of principals is returned.