Perhaps the documentation could explain this better, but the auth.has_permission method is designed to check whether a specific user or specific group has a particular permission. It does not check whether the current user is logged in.
If you do not specify either the user_id argument or the group_id argument, it does the following: 1. If there is an auth.settings.everybody_group_id, it checks whether that group has the permission in question (the idea being that it doesn't matter which user is being checked, as every user is by definition a member of the everybody_group_id group). 2. If there is no auth.settings.everybody_group_id but the current user is logged in, it check whether the currently logged in user has the permission in question. 3. If neither #1 nor #2, it will return False. Note, if you instead use the @auth.requires_permission decorator, that will by default also require login. Otherwise, if you want to use auth.has_permission, you must separately check whether the current user is logged in. Anthony On Wednesday, November 2, 2016 at 7:04:16 PM UTC-4, Horst Horst wrote: > > I've found a behavior in 2.14.6 which makes me scratch my head. I have set > > auth.settings.everybody_group_id = 2 > > in order to make every user part of the "user" group (2). The > auth_membership reflects this explicitely for each added user. > > I have granted several permissions to group 2, e.g. one identified by the > constant PERM_READ in a table 'piece'. Now, if I call a controller without > being logged in (so that auth.user_id == None), to my surprise > > auth.has_permission(PERM_READ, "piece", piece_id) > > returns True. If I do not set auth.settings.everybody_group_id, however, > the same check returns False. > > So it seems that the "None" user implicitly gets group 2 permissions > (without this being reflected in the membership table). > > Is this desired behavior? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
