Thanks Massimo and everyone took part in this thread.
By the way, Massimo did not give the reason why changed
auth.requires() behavior in 1.99.x, but here is my guess: otherwise it
would become an easy mistake for web2py users (all of us), to just
write auth.requires(condition) and forgetting it could become a
vulnerability for unregistered end users.
Regards,
Ray
On Oct 18, 6:29 am, Massimo Di Pierro <massimo.dipie...@gmail.com>
wrote:
> ok. requires_login instead of login. Uploading to trunk.
>
> On Oct 17, 10:55 am, Jonathan Lundell <jlund...@pobox.com> wrote:
>
> > On Oct 17, 2011, at 6:21 AM, Massimo Di Pierro wrote:
>
> > > @auth.requires(condition)
>
> > > First checks that user is logged in then it check whether the
> > > condition is true or False.
> > > This behavior has changed but it was undocumented.
>
> > > I guess next question is how do you do what you need to do. I thought
> > > about it and I pushed this to trunk:
>
> > > @auth.requires(request.client=='127.0.0.1' or auth.user,login=False)
>
> > > The login=False skips the pre-check on user login.
>
> > Could that be changed perhaps to require_login=False? It's a little less
> > ambiguous, since login=False could be read to require that the user *not*
> > be logged in.
>
> > > Massimo
>
> > > On Oct 17, 1:19 am, "Ray (a.k.a. Iceberg)" <iceb...@21cn.com> wrote:
> > >> Thanks for the workaround, I might take that. But I will still argue
> > >> that:
>
> > >> 1. Does authentication have to mean logged-in, or can it be something
> > >> else, such as "accessing from localhost", "accessing via ajax", etc.?
>
> > >> 2. if @auth already means authentication, why there is still an
> > >> auth.requires_login() which implemented as
> > >> auth.requires(auth.is_logged_in())? Shouldn't this implementation
> > >> imply that auth.requires() does not check is_logged_in()? All in all,
> > >> what is auth.requires()'s semantics?
>
> > >> Regards,
> > >> Ray
>
> > >> On Oct 17, 1:41 pm, Bruno Rocha <rochacbr...@gmail.com> wrote:
>
> > >>> I think it should be, because @auth means authentication, so needs
> > >>> authenticated user.
>
> > >>> In your case I should do differently.
>
> > >>> def secret():
> > >>> if not request.client == '127.0.0.1' or not auth.user:
> > >>> redirect(URL('default', 'user', args='login'))
> > >>> return {"": "some cool stuff"}
