Add Request.is_authenticated and is_authenticated predicate

[merwok]

Fixes #1602

[stevepiercy]

@merwok fyi, thanks for the offer to update What's New, but it is easier to do a single copy-pasta job at release time. See https://github.com/Pylons/pyramid/blob/master/RELEASING.txt#L49-L58 for process.

[mmerickel]

This configuration will not work because the two view configs have the same specificity:

They have the same view weighting but because they are properly mutually exclusive, the correct one will be selected for each request. This configuration will work.

There could definitely be issues with effective_principals because you could setup configurations that were not mutually exclusive. For example Everyone vs Authenticated is ambiguous, because authenticated users also contain the Everyone principal.

[stevepiercy]

If it is specified and its value is ``True``, only a request from an
authenticated user, as determined by the :term:`security policy`
in use, will satisfy this predicate.

If it is specified and its value is ``False``, only a request from
a user who is not authenticated will satisfy this predicate.

The is_authenticated predicate is applicable to both routes and views, and this version makes it copy-pasteable into route config. I like less maintenance!

Also I don't think it is correct to say that a "view callable will match", but maybe "predicate will match" or "predicate is satisfied". I took a shot at it, but maybe @mmerickel can wordsmith it better. Whatever is correct in Pyramid terminology.

The sentences should be merged into one paragraph. I put them separately for easier comprehension.

[merwok]

Oops, that should have been the view config will match! (not correct to say the view callable will be invoked, there are other predicates) (edit: but the other predicate docs do say that 🙁)

[merwok]

I have kept the doc as it was (not copy-pastable between route and view doc), to follow the existing style.

[stevepiercy]

Yeah, the predicate docs are suboptimal. There's an open issue that describes the current state, identifies the problems, and offers suggestions to improve the situation. I'd appreciate input on the best direction forward, then I'll create a PR for it.

[merwok]

I’m not sure about my wording the view config will match, it seems a little imprecise.
(the route will match feels correct, if a little dry — maybe route definition?)

I agree now that the predicate will match is simple, correct and reusable so I will edit the new docs.

[mmerickel]

This looks great. No major changes, just a few little things.

[mmerickel]

Great work, thank you @merwok. I'm gonna wait for @stevepiercy since he also marked the PR for changes, but things look good to me.

[merwok]

Oh also let me validate the whole thing with a tiny app! (can only trust unit tests so far)

[merwok]

I have added a bunch of routes and views to a minimal app and it looks good.

Python

def hello_world(request):
    return Response("Hello World!")


def hello_member(request):
    return Response("For members only.")


def hello_stranger(request):
    return Response("You are not authenticated :)")


def includeme(config):
    config.add_route("members-only", "/cool-zone", is_authenticated=True)
    config.add_view(hello_member, route_name="members-only")

    config.add_route("home", "/home")
    config.add_route("welcome", "/home", is_authenticated=False)
    config.add_view(hello_member, route_name="home")
    config.add_view(hello_stranger, route_name="welcome")

    config.add_route("history", "/history")
    config.add_view(hello_stranger, route_name="history")
    config.add_view(hello_member, route_name="history", is_authenticated=True)

    config.add_route("profile", "/profile")
    config.add_view(hello_stranger, route_name="profile", is_authenticated=False)
    config.add_view(hello_member, route_name="profile", is_authenticated=True)

proutes

Name                         Pattern                              View                                                                     Method    
----                         -------                              ----                                                                     ------    
hello                        /                                    helloapp.hello_world                                                     *         
members-only                 /cool-zone                           helloapp.hello_member                                                    *         
home                         /home                                helloapp.hello_member                                                    *         
welcome                      /home                                helloapp.hello_stranger                                                  *         
history                      /history                             pyramid.config.views.<pyramid.config.views.MultiView object at 0x...>    *         
profile                      /profile                             pyramid.config.views.<pyramid.config.views.MultiView object at 0x...>    *         
debugtoolbar                 /_debug_toolbar/*subpath             <unknown>                                                                *         
__/_debug_toolbar/static/    /_debug_toolbar/static/*subpath      pyramid_debugtoolbar:static/                                             *         

pviews

URL = /home

    context: <pyramid.traversal.DefaultRootFactory object at 0x...>
    view name: home

    Route:
    ------
    route name: home
    route pattern: /home
    route path: /home
    subpath: 

        View:
        -----
        helloapp.hello_member.

    Route:
    ------
    route name: welcome
    route pattern: /home
    route path: /home
    subpath: 
    route predicates (is_authenticated = False)

        View:
        -----
        helloapp.hello_stranger.


URL = /cool-zone

    context: <pyramid.traversal.DefaultRootFactory object at 0x...>
    view name: cool-zone

    Route:
    ------
    route name: members-only
    route pattern: /cool-zone
    route path: /cool-zone
    subpath: 
    route predicates (is_authenticated = True)

        View:
        -----
        helloapp.hello_member.


URL = /profile

    context: <pyramid.traversal.DefaultRootFactory object at 0x...>
    view name: profile

    Route:
    ------
    route name: profile
    route pattern: /profile
    route path: /profile
    subpath: 

        View:
        -----
        helloapp.hello_stranger
        view predicates (is_authenticated = False)

        View:
        -----
        helloapp.hello_member
        view predicates (is_authenticated = True)


URL = /history

    context: <pyramid.traversal.DefaultRootFactory object at 0x...>
    view name: history

    Route:
    ------
    route name: history
    route pattern: /history
    route path: /history
    subpath: 

        View:
        -----
        helloapp.hello_member
        view predicates (is_authenticated = True)

        View:
        -----
        helloapp.hello_stranger

I saw the expected text when opening the URLs with and without security policy (a simple class with 7 lines that permits everything)!

I also deleted the original IsAuthenticated predicate in my project, installed this Pyramid branch and my tests all pass.

[stevepiercy]

I'm OK with the changes as is, but would like both @merwok and @mmerickel thoughts on my comments about multiple predicates.

[merwok]

@mmerickel this is ready!

[digitalresistor]

\o/ this is great, thank you @merwok!