I think this should be considered a bug and I agree with the change.
Anybody opposed?

Massimo

On Sep 7, 11:46 pm, Alexey Nezhdanov <snak...@gmail.com> wrote:
> Hi. I think that I found some inconsistency in the topic.
> When you do, say,
> auth.add_permission(group_id) - it assumes the permission name 'any', table
> name empty and record_id 0.
> Which in turn feels like "full admin rights" - any action on any table on
> any record.
> In fact, that gives no permissions whatsoever.
>
> I've came out with the following patch to make it work for me, but since
> that is the very core of RBAC, I'm not sure if that is the right solution or
> if I am looking in the correct direction at all.
>
> --- tools.old.py        2010-09-08 08:40:22.266751051 +0400
> +++ tools.py    2010-09-08 08:41:25.894746181 +0400
> @@ -2420,10 +2420,9 @@
>                   == record_id).select(permission.group_id)
>          groups_required = set([row.group_id for row in rows])
>          if record_id:
> -            rows = self.db(permission.name
> -                            == name)(permission.table_name
> -                     == str(table_name))(permission.record_id
> -                     == 0).select(permission.group_id)
> +            rows = self.db(permission.name.belongs((name,'any'))&
> +
> permission.table_name.belongs((str(table_name),''))&
> +
> permission.record_id.belongs((record_id,0))).select(permission.group_id)
>              groups_required = groups_required.union(set([row.group_id
>                      for row in rows]))
>          if groups.intersection(groups_required):
>
> Regards
> Alexey

Reply via email to