When you "impersonate" a user in web2py, your whole auth session gets replaced with the user's, and that means you lose access to whatever permissions you used to have ( http://web2py.readthedocs.org/en/latest/tools.html#gluon.tools.Auth.impersonate )
Practically : if you're a staff member (Support Team, not geek) and you're using a permission-locked back-office to impersonate a user, that means you won't be able to access the back-office to check for extra data until you impersonate(0) to go back to your own session and permissions. So far I've just asked my team to chew on it and just de-impersonate every time they need to go back to the back-office... but they keep complaining about it and they're quite right. I've been thinking about how to improve this, and so far I've only managed to narrow down a few options : 1. Building a second Session() object to manage both sessions separately 2. Using session.connect(masterapp="...") to use another application's sessions (between main app and back-office app for instance, if those are separate... which is a pain in terms of model management) 3. Messing with the permission system to add up permissions (staff member's permissions + impersonated user's permissions) before permission checks I'm really not sure what strategy I should adopt here and how I should go about implementing this. Pointers would be very welcome :) -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
