The problem was that I remove the others conditions (to make it more basic), this is the code that brings the fail:
@auth.requires(auth.has_membership(role='Admin') or \ auth.has_membership(role='Soporte') or \ auth.has_membership(role='Consulta_Soporte') or \ auth.has_membership(role='Consulta_Clientes') ) or there are a better way?. I only can imagine that auth require to be logged-in, what other kind of authorization we have without login? 2011/3/17 Massimo Di Pierro <massimo.dipie...@gmail.com> > I considered this a bug fix but I am open to discussion. > > This > > @auth.requires(auth.has_membership(role='Admin')) > > should have been > > @auth.requires_membership(role='Admin') > > OR > > @auth.requires(auth.user and auth.has_membership(role='Admin')) > > Before > > @auth.requires(...) > > was assuming a logged-in user thus settings a restriction on the > usage. auth.requires may be used for example restrict access based on > some other condition than login. Or did we say auth.requires always > requires login? > > Massimo > > > > > > On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote: > > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote: > > > > > @auth.requires(auth.has_membership(role='Admin')) > > > def index(): > > > return dict() > > > > > No longer redirect to login page, instead show not authorized message. > This only happen in trunk. > > > > The two lines marked below were removed when Massimo put in the 403-error > handling for RESTful requests, but the commit message doesn't mention them. > Was that an accident? > > > > def requires(self, condition): > > """ > > decorator that prevents access to action if not logged in > > """ > > > > def decorator(action): > > > > def f(*a, **b): > > if self.settings.allow_basic_login_only and not > self.basic(): <<<<<<<<<<< > > return > call_or_redirect(self.settings.on_failed_authorization) <<<<<<<<<<< > > > > if not condition: > > if not self.basic() and not self.is_logged_in(): > > request = self.environment.request > > next = URL(r=request,args=request.args, > > vars=request.get_vars) > > self.environment.session.flash = > self.environment.response.flash > > return > call_or_redirect(self.settings.on_failed_authentication, > > self.settings.login_url + > \ > > > '?_next='+urllib.quote(next)) > > else: > > self.environment.session.flash = \ > > self.messages.access_denied > > return > call_or_redirect(self.settings.on_failed_authorization) > > return action(*a, **b) > > f.__doc__ = action.__doc__ > > f.__name__ = action.__name__ > > f.__dict__.update(action.__dict__) > > return f > > > > return decorator > -- Pablo Martín Mulone (mar...@tecnodoc.com.ar) http://www.tecnodoc.com.ar/ My blog: http://martin.tecnodoc.com.ar Expert4Solution Profile: http://www.experts4solutions.com/e4s/default/expert/6