[The BFG Trac instance seems to be in disrepair, so I'm re-reporting
this here.]
The application below should disallow the user from seeing the view
named "x", while allowing the user to see the view named "test", which
uses view_execution_permitted() to show whether the user is allowed to
see "x". In BFG 1.3b1, the "test" view says the user is allowed to see
"x", which is incorrect: the user is never allowed to see "x" under any
version of BFG.
from cgi import escape
from paste.httpserver import serve
from repoze.bfg.authentication import AuthTktAuthenticationPolicy
from repoze.bfg.authorization import ACLAuthorizationPolicy
from repoze.bfg.configuration import Configurator
from repoze.bfg.security import view_execution_permitted
from webob import Response
def x_view(request):
return Response('this is private!')
def test(context, request):
msg = 'Allow ./x? %s' % repr(view_execution_permitted(
context, request, 'x'))
return Response(escape(msg))
if __name__ == '__main__':
authentication_policy = AuthTktAuthenticationPolicy('seekrit')
authorization_policy = ACLAuthorizationPolicy()
config = Configurator(authentication_policy=authentication_policy,
authorization_policy=authorization_policy)
config.begin()
config.add_view(x_view, name='x', permission='private')
config.add_view(test, name='test')
config.end()
app = config.make_wsgi_app()
serve(app, host='0.0.0.0')
My guess is this can be fixed by changing line 989 of configuration.py
to refer to "derived_view" instead of "view".
BTW, this seems to be yet another good release!
Shane
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
