Thanks for the explanation, Anthony! It seems I had different expectations regarding the definition of "everybody", but I guess either way makes sense.
On Thursday, November 3, 2016 at 3:58:50 AM UTC+1, Anthony wrote: > > Perhaps the documentation could explain this better, but the > auth.has_permission method is designed to check whether a specific user or > specific group has a particular permission. It does not check whether the > current user is logged in. > > If you do not specify either the user_id argument or the group_id > argument, it does the following: > > 1. If there is an auth.settings.everybody_group_id, it checks whether > that group has the permission in question (the idea being that it doesn't > matter which user is being checked, as every user is by definition a > member > of the everybody_group_id group). > 2. If there is no auth.settings.everybody_group_id but the current > user is logged in, it checks whether the currently logged in user has the > permission in question. > 3. If neither #1 nor #2, it will return False. > > Note, if you instead use the @auth.requires_permission decorator, that > will by default also require login. Otherwise, if you want to use > auth.has_permission, you must separately check whether the current user is > logged in. > > > Anthony > > On Wednesday, November 2, 2016 at 7:04:16 PM UTC-4, Horst Horst wrote: >> >> I've found a behavior in 2.14.6 which makes me scratch my head. I have set >> >> auth.settings.everybody_group_id = 2 >> >> in order to make every user part of the "user" group (2). The >> auth_membership reflects this explicitely for each added user. >> >> I have granted several permissions to group 2, e.g. one identified by the >> constant PERM_READ in a table 'piece'. Now, if I call a controller without >> being logged in (so that auth.user_id == None), to my surprise >> >> auth.has_permission(PERM_READ, "piece", piece_id) >> >> returns True. If I do not set auth.settings.everybody_group_id, however, >> the same check returns False. >> >> So it seems that the "None" user implicitly gets group 2 permissions >> (without this being reflected in the membership table). >> >> Is this desired behavior? >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
