Hi all, I am suffering a strange authentication problem: when a user with only 'profile' permission tried to access a view required 'admin' permission, it can pass the permission check and access that view normally. As you can see, this should not happen because such users have only 'profile' permission and has no 'admin' permission. After a long investigation, I found the source of the problem: I return a list of group_id of a user whose belong to in the callback of 'groupfinder'. And in authentication.py line 171, it added 'user_id' into effective principals. I don't know why the author added user_id into effective principals. I believe, in a common scenario, permissions are attached to group, and store group_id as identifier of permission finders is a good choose. Even in a situation where no group available, we can just return user_id in groupfinder function instead of hardcoding the user_id into effective principals.
-- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
