def capability_finder(userid, request):
# Always include the Everyone principal
principals = [Everyone]
# Make sure a user with the provided id actually exists
user = User.get(userid)
if user is not None:
# Include the given user's principal and the Authenticated principal
principals.append('user:%s' % userid)
principals.append(Authenticated)
# Grab the hash tokens present in the request and the hash lookup
# function for all of the user's valid and applicable capabilities
tokens = request.POST.getall(AUTH_POST_KEY)
presented = AccessCapability.presented(user, request.session.get_csrf_token())
# Add "capability:<action_type>:<access_type>" to the principals for
# each capability which was correctly presented as a token in the request
principals.extend((('capability:%s:%s' % (c.action_class.__name__, c.access_type))
for c in imap(presented, tokens)
if c is not None))
return principals
