This should do it:
@auth.requires(auth.user and
auth.has_permission('impersonate',db.auth_user,0))
The arg of requires should be a boolean condition.
This would be wrong
> @auth.requires(auth.requires_login() and
> auth.has_permission('impersonate',db.auth_user,0))
because you have a decorator inside a decorator.
> Second, is the original user information squirreled away somewhere we can get
> at it?
It took me a while to understand what "squirreled away" means. Yes.
session.auth.impersonator contains a pickle of session of the
impersonator so you can do:
original_user = cPickle.loads(session.auth.impersonator).auth.user
On Mar 1, 2:21 pm, reyelts <[email protected]> wrote:
> I implemented a small control/view to sit in front of the impersonate
> function that's implemented in web2py. Together, the two just present
> a list of users to impersonate and then redirect to activate the
> impersonation.
> controller:
>
> �[email protected](auth.requires_login() and
> auth.has_permission('impersonate',db.auth_user,0))
> def impersonate():
> ulist = db(db.auth_user.username!
> =auth.user.username).select(db.auth_user.ALL,orderby=db.auth_user.last_name|
> db.auth_user.first_name)
> return dict(ulist=ulist)
>
> view:
> {{extend 'layout.html'}}
> <h2><b>Select user to impersonate:</b></h2>
> <table>
> {{for uent in ulist:}}
> {{=TR(TD(A(uent.last_name+", "+uent.first_name
> +" ("+uent.username+")",
> _href=URL(r=request,f="user",args=("impersonate",uent.id)))))}}
> {{pass}}
> </table>
>
> First, I'm having trouble narrowing down the decorator for the
> controller. I've run through a couple of different flavors, and the
> one above is the first that works... mostly. If an unauthorized user
> tries to go to the impersonate page, they don't get the usual "ACCESS
> DENIED". Instead, they are redirected to the login page with the URL
> specifying _next=/myapp/default/impersonate.
>
> So, what's the correct way to use a decorator to limit access to a
> function like this?
>
> Second, is the original user information squirreled away somewhere we
> can get at it? I couldn't find any evidence of this in the
> documentation. If not, I can make a copy before the impersonate
> happens.
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
