Thanks for the workaround, I might take that. But I will still argue that: 1. Does authentication have to mean logged-in, or can it be something else, such as "accessing from localhost", "accessing via ajax", etc.?
2. if @auth already means authentication, why there is still an auth.requires_login() which implemented as auth.requires(auth.is_logged_in())? Shouldn't this implementation imply that auth.requires() does not check is_logged_in()? All in all, what is auth.requires()'s semantics? Regards, Ray On Oct 17, 1:41 pm, Bruno Rocha <rochacbr...@gmail.com> wrote: > I think it should be, because @auth means authentication, so needs > authenticated user. > > In your case I should do differently. > > def secret(): > if not request.client == '127.0.0.1' or not auth.user: > redirect(URL('default', 'user', args='login')) > return {"": "some cool stuff"}