for example
auth.requires(request.ajax)
you can do
@auth.requires(auth.user and (auth.has_membership(role='Admin') or \
auth.has_membership(role='Soporte') or \
auth.has_membership(role='Consulta_Soporte') or \
auth.has_membership(role='Consulta_Clientes')))
Anyway, if this turns out to be a major backward compatibility issue
for you, I will revert it today.
Massimo
On Mar 17, 11:53 am, Martín Mulone <[email protected]> wrote:
> The problem was that I remove the others conditions (to make it more basic),
> this is the code that brings the fail:
>
> @auth.requires(auth.has_membership(role='Admin') or \
> auth.has_membership(role='Soporte') or \
> auth.has_membership(role='Consulta_Soporte') or \
> auth.has_membership(role='Consulta_Clientes') )
>
> or there are a better way?. I only can imagine that auth require to be
> logged-in, what other kind of authorization we have without login?
>
> 2011/3/17 Massimo Di Pierro <[email protected]>
>
>
>
>
>
>
>
>
>
> > I considered this a bug fix but I am open to discussion.
>
> > This
>
> > @auth.requires(auth.has_membership(role='Admin'))
>
> > should have been
>
> > @auth.requires_membership(role='Admin')
>
> > OR
>
> > @auth.requires(auth.user and auth.has_membership(role='Admin'))
>
> > Before
>
> > @auth.requires(...)
>
> > was assuming a logged-in user thus settings a restriction on the
> > usage. auth.requires may be used for example restrict access based on
> > some other condition than login. Or did we say auth.requires always
> > requires login?
>
> > Massimo
>
> > On Mar 17, 10:25 am, Jonathan Lundell <[email protected]> wrote:
> > > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote:
>
> > > > @auth.requires(auth.has_membership(role='Admin'))
> > > > def index():
> > > > return dict()
>
> > > > No longer redirect to login page, instead show not authorized message.
> > This only happen in trunk.
>
> > > The two lines marked below were removed when Massimo put in the 403-error
> > handling for RESTful requests, but the commit message doesn't mention them.
> > Was that an accident?
>
> > > def requires(self, condition):
> > > """
> > > decorator that prevents access to action if not logged in
> > > """
>
> > > def decorator(action):
>
> > > def f(*a, **b):
> > > if self.settings.allow_basic_login_only and not
> > self.basic(): <<<<<<<<<<<
> > > return
> > call_or_redirect(self.settings.on_failed_authorization) <<<<<<<<<<<
>
> > > if not condition:
> > > if not self.basic() and not self.is_logged_in():
> > > request = self.environment.request
> > > next = URL(r=request,args=request.args,
> > > vars=request.get_vars)
> > > self.environment.session.flash =
> > self.environment.response.flash
> > > return
> > call_or_redirect(self.settings.on_failed_authentication,
> > > self.settings.login_url +
> > \
>
> > '?_next='+urllib.quote(next))
> > > else:
> > > self.environment.session.flash = \
> > > self.messages.access_denied
> > > return
> > call_or_redirect(self.settings.on_failed_authorization)
> > > return action(*a, **b)
> > > f.__doc__ = action.__doc__
> > > f.__name__ = action.__name__
> > > f.__dict__.update(action.__dict__)
> > > return f
>
> > > return decorator
>
> --
> Pablo Martín Mulone ([email protected])http://www.tecnodoc.com.ar/
>
> My blog:http://martin.tecnodoc.com.ar
> Expert4Solution Profile:http://www.experts4solutions.com/e4s/default/expert/6
