I considered this a bug fix but I am open to discussion. This
@auth.requires(auth.has_membership(role='Admin')) should have been @auth.requires_membership(role='Admin') OR @auth.requires(auth.user and auth.has_membership(role='Admin')) Before @auth.requires(...) was assuming a logged-in user thus settings a restriction on the usage. auth.requires may be used for example restrict access based on some other condition than login. Or did we say auth.requires always requires login? Massimo On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote: > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote: > > > @auth.requires(auth.has_membership(role='Admin')) > > def index(): > > return dict() > > > No longer redirect to login page, instead show not authorized message. This > > only happen in trunk. > > The two lines marked below were removed when Massimo put in the 403-error > handling for RESTful requests, but the commit message doesn't mention them. > Was that an accident? > > def requires(self, condition): > """ > decorator that prevents access to action if not logged in > """ > > def decorator(action): > > def f(*a, **b): > if self.settings.allow_basic_login_only and not self.basic(): > <<<<<<<<<<< > return > call_or_redirect(self.settings.on_failed_authorization) <<<<<<<<<<< > > if not condition: > if not self.basic() and not self.is_logged_in(): > request = self.environment.request > next = URL(r=request,args=request.args, > vars=request.get_vars) > self.environment.session.flash = > self.environment.response.flash > return > call_or_redirect(self.settings.on_failed_authentication, > self.settings.login_url + \ > > '?_next='+urllib.quote(next)) > else: > self.environment.session.flash = \ > self.messages.access_denied > return > call_or_redirect(self.settings.on_failed_authorization) > return action(*a, **b) > f.__doc__ = action.__doc__ > f.__name__ = action.__name__ > f.__dict__.update(action.__dict__) > return f > > return decorator
