I implemented a small control/view to sit in front of the impersonate
function that's implemented in web2py. Together, the two just present
a list of users to impersonate and then redirect to activate the
impersonation.
controller:
@auth.requires(auth.requires_login() and
auth.has_permission('impersonate',db.auth_user,0))
def impersonate():
ulist = db(db.auth_user.username!
=auth.user.username).select(db.auth_user.ALL,orderby=db.auth_user.last_name|
db.auth_user.first_name)
return dict(ulist=ulist)
view:
{{extend 'layout.html'}}
<h2><b>Select user to impersonate:</b></h2>
<table>
{{for uent in ulist:}}
{{=TR(TD(A(uent.last_name+", "+uent.first_name
+" ("+uent.username+")",
_href=URL(r=request,f="user",args=("impersonate",uent.id)))))}}
{{pass}}
</table>
First, I'm having trouble narrowing down the decorator for the
controller. I've run through a couple of different flavors, and the
one above is the first that works... mostly. If an unauthorized user
tries to go to the impersonate page, they don't get the usual "ACCESS
DENIED". Instead, they are redirected to the login page with the URL
specifying _next=/myapp/default/impersonate.
So, what's the correct way to use a decorator to limit access to a
function like this?
Second, is the original user information squirreled away somewhere we
can get at it? I couldn't find any evidence of this in the
documentation. If not, I can make a copy before the impersonate
happens.
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
