True. It also allowed to simplify the logic of the other decorators since now they all call auth.requires(...) and this limited some duplication of code.
On Oct 18, 11:57 am, "Ray (a.k.a. Iceberg)" <[email protected]> wrote: > Thanks Massimo and everyone took part in this thread. > > By the way, Massimo did not give the reason why changed > auth.requires() behavior in 1.99.x, but here is my guess: otherwise it > would become an easy mistake for web2py users (all of us), to just > write auth.requires(condition) and forgetting it could become a > vulnerability for unregistered end users. > > Regards, > Ray > > On Oct 18, 6:29 am, Massimo Di Pierro <[email protected]> > wrote: > > > > > > > > > ok. requires_login instead of login. Uploading to trunk. > > > On Oct 17, 10:55 am, Jonathan Lundell <[email protected]> wrote: > > > > On Oct 17, 2011, at 6:21 AM, Massimo Di Pierro wrote: > > > > > @auth.requires(condition) > > > > > First checks that user is logged in then it check whether the > > > > condition is true or False. > > > > This behavior has changed but it was undocumented. > > > > > I guess next question is how do you do what you need to do. I thought > > > > about it and I pushed this to trunk: > > > > > @auth.requires(request.client=='127.0.0.1' or auth.user,login=False) > > > > > The login=False skips the pre-check on user login. > > > > Could that be changed perhaps to require_login=False? It's a little less > > > ambiguous, since login=False could be read to require that the user *not* > > > be logged in. > > > > > Massimo > > > > > On Oct 17, 1:19 am, "Ray (a.k.a. Iceberg)" <[email protected]> wrote: > > > >> Thanks for the workaround, I might take that. But I will still argue > > > >> that: > > > > >> 1. Does authentication have to mean logged-in, or can it be something > > > >> else, such as "accessing from localhost", "accessing via ajax", etc.? > > > > >> 2. if @auth already means authentication, why there is still an > > > >> auth.requires_login() which implemented as > > > >> auth.requires(auth.is_logged_in())? Shouldn't this implementation > > > >> imply that auth.requires() does not check is_logged_in()? All in all, > > > >> what is auth.requires()'s semantics? > > > > >> Regards, > > > >> Ray > > > > >> On Oct 17, 1:41 pm, Bruno Rocha <[email protected]> wrote: > > > > >>> I think it should be, because @auth means authentication, so needs > > > >>> authenticated user. > > > > >>> In your case I should do differently. > > > > >>> def secret(): > > > >>> if not request.client == '127.0.0.1' or not auth.user: > > > >>> redirect(URL('default', 'user', args='login')) > > > >>> return {"": "some cool stuff"}
