repoze.what doesn’t provide WSGI middleware per se. Instead, it configures and re-uses repoze.who‘s.
Middleware-related components are defined in the repoze.what.middleware module. It contains one function to configure repoze.who with support for repoze.what and the repoze.who metadata provider that loads authorization-related data in the repoze.who identity and the repoze.what credentials dictionaries.
In repoze.what v2, the userid, groups and permissions will only be loaded in the repoze.what credentials dictionary (environ['repoze.what.credentials']). So you are encouraged not to access this data from the repoze.who identity – if you do so, you will have to update your code when you want to upgrade to v2.
repoze.what defines and uses the following WSGI environment variables:
repoze.what.credentials: It contains authorization-related data about the current user (it’s similar to repoze.who‘s identity). It is a dictionary made up of the following items: userid (the user name of the current user, if not anonymous; copied from environ['repoze.who.identity']['repoze.who.userid'] in repoze.what v1.X), groups (tuple of groups to which the currrent user belongs) and permissions (tuple of permissions granted to such groups).
Do not access this dictionary directly, use a predicate checker instead. This variable is internal and the disposal or availability of its items may change at any time.
repoze.what.adapters: It contains the available source adapters, if any. It’s a dictionary made up of the following items: groups (dictionary of group adapters) and permissions (dictionary of permission adapters).