| | |
| | | from pyramid.request import route_request_iface |
| | | from pyramid.asset import PackageOverrides |
| | | from pyramid.asset import resolve_asset_spec |
| | | from pyramid.security import NO_PERMISSION_REQUIRED |
| | | from pyramid.settings import Settings |
| | | from pyramid.static import StaticURLInfo |
| | | from pyramid.threadlocal import get_current_registry |
| | |
| | | ``default_permission`` argument, or if |
| | | :meth:`pyramid.config.Configurator.set_default_permission` |
| | | was used prior to this view registration. Pass the string |
| | | ``__no_permission_required__`` as the permission argument to |
| | | explicitly indicate that the view should always be |
| | | executable by entirely anonymous users, regardless of the |
| | | default permission, bypassing any :term:`authorization |
| | | :data:`pyramid.security.NO_PERMISSION_REQUIRED` as the |
| | | permission argument to explicitly indicate that the view should |
| | | always be executable by entirely anonymous users, regardless of |
| | | the default permission, bypassing any :term:`authorization |
| | | policy` that may be in effect. |
| | | |
| | | attr |
| | |
| | | If a default permission is in effect, view configurations meant to |
| | | create a truly anonymously accessible view (even :term:`exception |
| | | view` views) *must* use the explicit permission string |
| | | ``__no_permission_required__`` as the permission. When this string |
| | | is used as the ``permission`` for a view configuration, the default |
| | | permission is ignored, and the view is registered, making it |
| | | available to all callers regardless of their credentials. |
| | | :data:`pyramid.security.NO_PERMISSION_REQUIRED` as the permission. |
| | | When this string is used as the ``permission`` for a view |
| | | configuration, the default permission is ignored, and the view is |
| | | registered, making it available to all callers regardless of their |
| | | credentials. |
| | | |
| | | See also :ref:`setting_a_default_permission`. |
| | | |
| | |
| | | |
| | | The ``permission`` keyword argument is used to specify the |
| | | :term:`permission` required by a user to execute the static view. By |
| | | default, it is the string ``__no_permission_required__``. The |
| | | ``__no_permission_required__`` string is a special sentinel which |
| | | indicates that, even if a :term:`default permission` exists for the |
| | | current application, the static view should be renderered to |
| | | default, it is the string |
| | | :data:`pyramid.security.NO_PERMISSION_REQUIRED`, a special sentinel |
| | | which indicates that, even if a :term:`default permission` exists for |
| | | the current application, the static view should be renderered to |
| | | completely anonymous users. This default value is permissive |
| | | because, in most web apps, static assets seldom need protection from |
| | | viewing. If ``permission`` is specified, the security checking will |
| | |
| | | @wraps_view |
| | | def secured_view(self, view): |
| | | permission = self.kw.get('permission') |
| | | if permission == '__no_permission_required__': |
| | | if permission == NO_PERMISSION_REQUIRED: |
| | | # allow views registered within configurations that have a |
| | | # default permission to explicitly override the default |
| | | # permission, replacing it with no permission at all |