Are you saying that:
@auth.requires_membership(request.get_vars.specificObjectID)
allows access, but with the exact same query string (i.e., specificObjectID
set to the same value in the URL query string):
@auth.requires(auth.has_membership('Engagement_Squared_Super_Admin') or
auth.has_membership(request.get_vars.specificObjectID))
does not allow access? The condition in the latter should evaluate to True
whenever the former is True. Maybe double check your code and that the test
case (i.e., requested URL) is identical.
Also, when using @auth.requires() it is best to put any .has_membership or
.has_permission checks inside a lambda so they will only be evaluated when
the decorated function is actually called (otherwise they will be evaluated
whenever any function in the controller is called).
Finally, the above approach doesn't seem secure, as it will allow an astute
user to gain access as long as they have membership in at least one group
(and know the name of the group). For example, I could request:
http://yourapp.com/default/private_function?specificObjectID=any_group_I_know_I_belong_to
Now I have access to private_function, regardless of what group(s) I belong
to.
Anthony
On Wednesday, November 4, 2015 at 2:39:54 PM UTC-5, Alex Glaros wrote:
>
> Only the first-named requirement gets executed when I use "or" in a
> decorator.
>
> What is correct "or" syntax?
>
> In below example, the first item works and the second is ignored.
>
> @auth.requires_membership(request.get_vars.specificObjectID or
> 'Engagement_Squared_Super_Admin')
>
> In second example below, the first item works and second is is ignored.
>
> @auth.requires((auth.has_membership('Engagement_Squared_Super_Admin') or
> (auth.has_membership(request.get_vars.specificObjectID))))
>
> What is correct syntax for the "or" operator?
>
> thanks,
>
> Alex Glaros
>
> Note: they correctly work independently when used as one-liners. E.g.,
> @auth.requires_membership(request.get_vars.specificObjectID)
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
