pyramid.security
¶
Authentication API Functions¶
- forget(request, **kw)[source]¶
Return a sequence of header tuples (e.g.
[('Set-Cookie', 'foo=abc')]
) suitable for 'forgetting' the set of credentials possessed by the currently authenticated user. A common usage might look like so within the body of a view function (response
is assumed to be an WebOb -style response object computed previously by the view code):from pyramid.security import forget headers = forget(request) response.headerlist.extend(headers) return response
If no security policy is in use, this function will always return an empty sequence.
- remember(request, userid, **kw)[source]¶
Returns a sequence of header tuples (e.g.
[('Set-Cookie', 'foo=abc')]
) on this request's response. These headers are suitable for 'remembering' a set of credentials implied by the data passed asuserid
and*kw
using the current security policy. Common usage might look like so within the body of a view function (response
is assumed to be a WebOb -style response object computed previously by the view code):from pyramid.security import remember headers = remember(request, 'chrism', password='123', max_age='86400') response = request.response response.headerlist.extend(headers) return response
If no security policy is in use, this function will always return an empty sequence. If used, the composition and meaning of
**kw
must be agreed upon by the calling code and the effective security policy.Changed in version 1.6: Deprecated the
principal
argument in favor ofuserid
to clarify its relationship to the security policy.Changed in version 1.10: Removed the deprecated
principal
argument.
Constants¶
- NO_PERMISSION_REQUIRED¶
A special permission which indicates that the view should always be executable by entirely anonymous users, regardless of the default permission, bypassing any authorization policy that may be in effect. Its actual value is the string
'__no_permission_required__'
.
- Everyone¶
The special principal id named
Everyone
. This principal id is granted to all requests. Its actual value is the string'system.Everyone'
.Deprecated since version 2.0: Moved to
pyramid.authorization.Everyone
.
- Authenticated¶
The special principal id named
Authenticated
. This principal id is granted to all requests which contain any other non-Everyone principal id (according to the authentication policy). Its actual value is the string'system.Authenticated'
.Deprecated since version 2.0: Moved to
pyramid.authorization.Authenticated
.
- ALL_PERMISSIONS¶
An object that can be used as the
permission
member of an ACE which matches all permissions unconditionally. For example, an ACE that usesALL_PERMISSIONS
might be composed like so:('Deny', 'system.Everyone', ALL_PERMISSIONS)
.Deprecated since version 2.0: Moved to
pyramid.authorization.ALL_PERMISSIONS
.
- DENY_ALL¶
A convenience shorthand ACE that defines
('Deny', 'system.Everyone', ALL_PERMISSIONS)
. This is often used as the last ACE in an ACL in systems that use an "inheriting" security policy, representing the concept "don't inherit any other ACEs".Deprecated since version 2.0: Moved to
pyramid.authorization.DENY_ALL
.
Return Values¶
- Allow¶
The ACE "action" (the first element in an ACE e.g.
(Allow, Everyone, 'read')
that means allow access. A sequence of ACEs makes up an ACL. It is a string, and its actual value is'Allow'
.Deprecated since version 2.0: Moved to
pyramid.authorization.Allow
.
- Deny¶
The ACE "action" (the first element in an ACE e.g.
(Deny, 'george', 'read')
that means deny access. A sequence of ACEs makes up an ACL. It is a string, and its actual value is'Deny'
.Deprecated since version 2.0: Moved to
pyramid.authorization.Deny
.
- class Denied(s, *args)[source]¶
An instance of
Denied
is returned when a security-related API or other Pyramid code denies an action unrelated to an ACL check. It evaluates equal to all boolean false types. It has an attribute namedmsg
describing the circumstances for the deny.- static __new__(cls, s, *args)¶
Create a new instance.
- Parameters:
fmt -- A format string explaining the reason for denial.
args -- Arguments are stored and used with the format string to generate the
msg
.
- property msg¶
A string indicating why the result was generated.
- class Allowed(s, *args)[source]¶
An instance of
Allowed
is returned when a security-related API or other Pyramid code allows an action unrelated to an ACL check. It evaluates equal to all boolean true types. It has an attribute namedmsg
describing the circumstances for the allow.- static __new__(cls, s, *args)¶
Create a new instance.
- Parameters:
fmt -- A format string explaining the reason for denial.
args -- Arguments are stored and used with the format string to generate the
msg
.
- property msg¶
A string indicating why the result was generated.
- class ACLDenied(ace, acl, permission, principals, context)[source]¶
An instance of
ACLDenied
is a specialization ofpyramid.security.Denied
that represents that a security check made explicitly against ACL was denied. It evaluates equal to all boolean false types. It also has the following attributes:acl
,ace
,permission
,principals
, andcontext
. These attributes indicate the security values involved in the request. Its__str__
method prints a summary of these attributes for debugging purposes. The same summary is available as themsg
attribute.Deprecated since version 2.0: Moved to
pyramid.authorization.ACLDenied
.- static __new__(cls, ace, acl, permission, principals, context)¶
Create a new instance.
- Parameters:
ace -- The ACE that matched, triggering the result.
acl -- The ACL containing
ace
.permission -- The required permission.
principals -- The list of principals provided.
- property msg¶
A string indicating why the result was generated.
- class ACLAllowed(ace, acl, permission, principals, context)[source]¶
An instance of
ACLAllowed
is a specialization ofpyramid.security.Allowed
that represents that a security check made explicitly against ACL was allowed. It evaluates equal to all boolean true types. It also has the following attributes:acl
,ace
,permission
,principals
, andcontext
. These attributes indicate the security values involved in the request. Its__str__
method prints a summary of these attributes for debugging purposes. The same summary is available as themsg
attribute.Deprecated since version 2.0: Moved to
pyramid.authorization.ACLAllowed
.- static __new__(cls, ace, acl, permission, principals, context)¶
Create a new instance.
- Parameters:
ace -- The ACE that matched, triggering the result.
acl -- The ACL containing
ace
.permission -- The required permission.
principals -- The list of principals provided.
- property msg¶
A string indicating why the result was generated.