[web2py] Re: impersonate: decorators, original user info

Mon, 01 Mar 2010 17:30:09 -0800 

Thanks Massimo, I tried your change, but got an error:

  Traceback (most recent call last):
    File "gluon/restricted.py", line 173, in restricted
    File "w:/web2py_win/applications/canyonezt/controllers/
default.py", line 236, in <module>
    File "gluon/globals.py", line 96, in <lambda>
    File "w:\web2py_win\library.zip\gluon\tools.py", line 1831, in f
  UnboundLocalError: local variable 'else_url' referenced before
assignment

However, I would have expected a change that made it look more like
the others (has_membership, for example):

    def requires(self, condition):
        """
        decorator that prevents access to action if not logged in
        """

        def decorator(action):

            def f(*a, **b):

                if not condition:
-->               if self.is_logged_in():
-->                 self.environment.session.flash =
self.messages.access_denied
-->                 next = self.settings.on_failed_authorization
-->                 redirect(next)
-->               else:
                    request = self.environment.request
                    next =
URL(r=request,args=request.args,vars=request.get_vars)
                    redirect(self.settings.login_url + '?
_next='+urllib.quote(next))
                return action(*a, **b)
            f.__doc__ = action.__doc__
            return f

        return decorator

In other words, if you're not logged in, you go to the login page and
are then redirected back here. If you are logged in, the condition is
checked and pass/failed just like any other condition.

If I understand correctly, I think this makes it work more closely to
how the documentation describes in section 8.2 where it talks about
decorators:

   If the visitor is not logged in, then the permission cannot be
checked; the visitor is
   redirected to the login page and then back to the page that
requires permissions.

   If the visitor does not have permission to access a given function,
the visitor is redirect
   to the URL defined by

      auth.settings.on_failed_authorization =  URL(r=request, f='user/
on_failed_authorization')

   You can change this variable and redirect the user elsewhere.

What do you think?

-- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/web2py?hl=en.

Reply via email to