def capability_finder(userid, request): # Always include the Everyone principal principals = [Everyone] # Make sure a user with the provided id actually exists user = User.get(userid) if user is not None: # Include the given user's principal and the Authenticated principal principals.append('user:%s' % userid) principals.append(Authenticated) # Grab the hash tokens present in the request and the hash lookup # function for all of the user's valid and applicable capabilities tokens = request.POST.getall(AUTH_POST_KEY) presented = AccessCapability.presented(user, request.session.get_csrf_token()) # Add "capability:<action_type>:<access_type>" to the principals for # each capability which was correctly presented as a token in the request principals.extend((('capability:%s:%s' % (c.action_class.__name__, c.access_type)) for c in imap(presented, tokens) if c is not None)) return principals