core.security.rules
===================

.. py:module:: core.security.rules


Functions
---------

.. autoapisummary::

   core.security.rules.has_permission_not_logged_in
   core.security.rules.has_permission_logged_in
   core.security.rules.may_view_http_errors_not_logged_in
   core.security.rules.may_view_cronjobs_not_logged_in


Module Contents
---------------

.. py:function:: has_permission_not_logged_in(app: onegov.core.framework.Framework, identity: None, model: object, permission: object) -> bool

   This catch-all rule returns the default permission rule. It says
   that the permission must be part of the anonymous rule.

   Models with an 'access' property set to 'secret' are prohibited from being
   viewed by anonymous users.



.. py:function:: has_permission_logged_in(app: onegov.core.framework.Framework, identity: onegov.core.types.HasRole, model: object, permission: object) -> bool

   This permission rule matches all logged in identities. It requires
   the identity to have a 'role' attribute. Said role attribute is used
   to determine if the given permission is part of the given role.



.. py:function:: may_view_http_errors_not_logged_in(app: onegov.core.framework.Framework, identity: None, model: webob.exc.HTTPException, permission: type[onegov.core.security.Public]) -> Literal[True]

   HTTP errors may be viewed by anyone, regardeless of settings.

   This is important, otherwise the HTTPForbidden/HTTPNotFound views
   will lead to an exception if the user does not have the ``Public``
   permission.



.. py:function:: may_view_cronjobs_not_logged_in(app: onegov.core.framework.Framework, identity: None, model: onegov.core.cronjobs.Job[Any], permission: type[onegov.core.security.Public]) -> Literal[True]

   Cronjobs are run anonymously from a thread and need to be excluded
   from the permission rules as a result.