# File lib/puppet/network/rights.rb, line 56
56:   def is_forbidden_and_why?(name, args = {})
57:     res = :nomatch
58:     right = @rights.find do |acl|
59:       found = false
60:       # an acl can return :dunno, which means "I'm not qualified to answer your question,
61:       # please ask someone else". This is used when for instance an acl matches, but not for the
62:       # current rest method, where we might think some other acl might be more specific.
63:       if match = acl.match?(name)
64:         args[:match] = match
65:         if (res = acl.allowed?(args[:node], args[:ip], args)) != :dunno
66:           # return early if we're allowed
67:           return nil if res
68:           # we matched, select this acl
69:           found = true
70:         end
71:       end
72:       found
73:     end
74: 
75:     # if we end here, then that means we either didn't match
76:     # or failed, in any case will throw an error to the outside world
77:     if name =~ /^\// or right
78:       # we're a patch ACL, let's fail
79:       msg = "#{(args[:node].nil? ? args[:ip] : "#{args[:node]}(#{args[:ip]})")} access to #{name} [#{args[:method]}]"
80: 
81:       msg += " authenticated " if args[:authenticated]
82: 
83:       error = AuthorizationError.new("Forbidden request: #{msg}")
84:       if right
85:         error.file = right.file
86:         error.line = right.line
87:       end
88:     else
89:       # there were no rights allowing/denying name
90:       # if name is not a path, let's throw
91:       raise ArgumentError, "Unknown namespace right '#{name}'"
92:     end
93:     error
94:   end