An access control list (ACL) is a list of access control elements (ACE). An ACE is a 3-tuple of:
To determine if the current user has a given permission on a given object in a given context, we iterate through the ACEs in the ACL of the object, testing each to see if the predicate is true in the context and the requested permission is in those that the ACE applies to. If both those conditions are met, the requested permission is either allowed or denied, as determined by the rule.
For example, an English version of an ACL may be:
That ACL could be represented by:
[
('ALLOW', Role('wheel'), AnyPermission),
('ALLOW', lambda user, group, **kw: user in group.members and user.is_admin, set(['write'])),
('ALLOW', lambda user, group, **kw: user in group.members, set(['read'])),
('DENY', Anyone, AnyPermission),
]
A “permission” is a single object that represents an action that a user may want to take. This can be a string, tuple, anyting, but usually I use strings such as "group.read" and "group.write".
A “permission set” may be a single string, a collection, or a callable.
If a string, a permission is in the permission set if permission == permission-set.
If a collection (e.g. set, tuple, list), a permission is in the permission set if permission in permission_set.
If a callable, a permission is in the permission set if permission_set(permission).
A “predicate” is a test against the authentication context, and returns a truth value. These are implemented as callables that take the context as keyword arguments.
Several predefined predicates check for authenticated users, local users, anonymouse users, or if a user has a given principal (e.g. email or username).
An ACE is a tuple of a truth value, a predicate, and a permission set. If the predicate matches, and the permission of interest is in the permission set, the truth value determines if the user is allowed to perform that action.
E.g.: (Allow, ANY, 'read') will allow anyone to 'read' an object.