pyramid.authorization

class ACLHelper[source]

A helper for use with constructing a security policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. If the context is part of a lineage, the context's parents are consulted for ACL information too.

permits(context, principals, permission)[source]

Return an instance of pyramid.authorization.ACLAllowed if the ACL allows access a user with the given principals, return an instance of pyramid.authorization.ACLDenied if not.

When checking if principals are allowed, the security policy consults the context for an ACL first. If no ACL exists on the context, or one does exist but the ACL does not explicitly allow or deny access for any of the effective principals, consult the context's parent ACL, and so on, until the lineage is exhausted or we determine that the policy permits or denies.

During this processing, if any pyramid.authorization.Deny ACE is found matching any principal in principals, stop processing by returning an pyramid.authorization.ACLDenied instance (equals False) immediately. If any pyramid.authorization.Allow ACE is found matching any principal, stop processing by returning an pyramid.authorization.ACLAllowed instance (equals True) immediately. If we exhaust the context's lineage, and no ACE has explicitly permitted or denied access, return an instance of pyramid.authorization.ACLDenied (equals False).

principals_allowed_by_permission(context, permission)[source]

Return the set of principals explicitly granted the permission named permission according to the ACL directly attached to the context as well as inherited ACLs based on the lineage.

When computing principals allowed by a permission, we compute the set of principals that are explicitly granted the permission in the provided context. We do this by walking 'up' the object graph from the root to the context. During this walking process, if we find an explicit pyramid.authorization.Allow ACE for a principal that matches the permission, the principal is included in the allow list. However, if later in the walking process that principal is mentioned in any pyramid.authorization.Deny ACE for the permission, the principal is removed from the allow list. If a pyramid.authorization.Deny to the principal pyramid.authorization.Everyone is encountered during the walking process that matches the permission, the allow list is cleared for all principals encountered in previous ACLs. The walking process ends after we've processed the any ACL directly attached to context; a set of principals is returned.

class ACLAuthorizationPolicy[source]

An authorization policy which consults an ACL object attached to a context to determine authorization information about a principal or multiple principals. This class is a wrapper around ACLHelper, refer to that class for more detailed documentation.

Objects of this class implement the pyramid.interfaces.IAuthorizationPolicy interface.

Deprecated since version 2.0: Authorization policies have been deprecated by the new security system. See Upgrading Authentication/Authorization for more information.

Constants

Everyone

The special principal id named Everyone. This principal id is granted to all requests. Its actual value is the string 'system.Everyone'.

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

Authenticated

The special principal id named Authenticated. This principal id is granted to all requests which contain any other non-Everyone principal id (according to the authentication policy). Its actual value is the string 'system.Authenticated'.

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

ALL_PERMISSIONS

An object that can be used as the permission member of an ACE which matches all permissions unconditionally. For example, an ACE that uses ALL_PERMISSIONS might be composed like so: ('Deny', 'system.Everyone', ALL_PERMISSIONS).

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

DENY_ALL

A convenience shorthand ACE that defines ('Deny', 'system.Everyone', ALL_PERMISSIONS). This is often used as the last ACE in an ACL in systems that use an "inheriting" security policy, representing the concept "don't inherit any other ACEs".

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

Return Values

class ACLDenied(ace, acl, permission, principals, context)[source]
static __new__(cls, ace, acl, permission, principals, context)

Create a new instance.

Parameters:
  • ace -- The ACE that matched, triggering the result.

  • acl -- The ACL containing ace.

  • permission -- The required permission.

  • principals -- The list of principals provided.

  • context -- The context providing the lineage searched.

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

property msg

A string indicating why the result was generated.

class ACLAllowed(ace, acl, permission, principals, context)[source]
static __new__(cls, ace, acl, permission, principals, context)

Create a new instance.

Parameters:
  • ace -- The ACE that matched, triggering the result.

  • acl -- The ACL containing ace.

  • permission -- The required permission.

  • principals -- The list of principals provided.

  • context -- The context providing the lineage searched.

New in version 2.0: Moved from pyramid.security into pyramid.authorization.

property msg

A string indicating why the result was generated.