ACL in pyramid
==============

This is the way I deal with ACL and reflect solely my opinion.

It is an more than 140 characters answer to https://twitter.com/merwok_/status/464472822744875010

Rather than doing dynamic ACL which can be quite hard to read and maintain IMHO, 
I defined a finite set of roles which are allowed permission on resource.

For example, in a sticky notes as a service api, everyone can access Bob's notes.
But only the **owner** must be able to change it.

In order to authenticate a user as an owner, resource define a `group_finder <https://gist.github.com/hadrien/0efa49ca8837f948d63c#file-example-py-L117>`_ method which the auth policy calls to extend principals.

Below example can be run directly and then:

* ``curl -XPUT -H 'X-DUMMY-AUTH-USERID: bob' http://localhost:8080/users/bob/notes/456`` will succeed
* ``curl -XPUT -H 'X-DUMMY-AUTH-USERID: not_bob' http://localhost:8080/users/bob/notes/456`` will return 403