The problem was that I remove the others conditions (to make it more basic),
this is the code that brings the fail:
@auth.requires(auth.has_membership(role='Admin') or \
auth.has_membership(role='Soporte') or \
auth.has_membership(role='Consulta_Soporte') or \
auth.has_membership(role='Consulta_Clientes') )
or there are a better way?. I only can imagine that auth require to be
logged-in, what other kind of authorization we have without login?
2011/3/17 Massimo Di Pierro <massimo.dipie...@gmail.com>
> I considered this a bug fix but I am open to discussion.
>
> This
>
> @auth.requires(auth.has_membership(role='Admin'))
>
> should have been
>
> @auth.requires_membership(role='Admin')
>
> OR
>
> @auth.requires(auth.user and auth.has_membership(role='Admin'))
>
> Before
>
> @auth.requires(...)
>
> was assuming a logged-in user thus settings a restriction on the
> usage. auth.requires may be used for example restrict access based on
> some other condition than login. Or did we say auth.requires always
> requires login?
>
> Massimo
>
>
>
>
>
> On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote:
> > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote:
> >
> > > @auth.requires(auth.has_membership(role='Admin'))
> > > def index():
> > > return dict()
> >
> > > No longer redirect to login page, instead show not authorized message.
> This only happen in trunk.
> >
> > The two lines marked below were removed when Massimo put in the 403-error
> handling for RESTful requests, but the commit message doesn't mention them.
> Was that an accident?
> >
> > def requires(self, condition):
> > """
> > decorator that prevents access to action if not logged in
> > """
> >
> > def decorator(action):
> >
> > def f(*a, **b):
> > if self.settings.allow_basic_login_only and not
> self.basic(): <<<<<<<<<<<
> > return
> call_or_redirect(self.settings.on_failed_authorization) <<<<<<<<<<<
> >
> > if not condition:
> > if not self.basic() and not self.is_logged_in():
> > request = self.environment.request
> > next = URL(r=request,args=request.args,
> > vars=request.get_vars)
> > self.environment.session.flash =
> self.environment.response.flash
> > return
> call_or_redirect(self.settings.on_failed_authentication,
> > self.settings.login_url +
> \
> >
> '?_next='+urllib.quote(next))
> > else:
> > self.environment.session.flash = \
> > self.messages.access_denied
> > return
> call_or_redirect(self.settings.on_failed_authorization)
> > return action(*a, **b)
> > f.__doc__ = action.__doc__
> > f.__name__ = action.__name__
> > f.__dict__.update(action.__dict__)
> > return f
> >
> > return decorator
>
--
Pablo Martín Mulone (mar...@tecnodoc.com.ar)
http://www.tecnodoc.com.ar/
My blog: http://martin.tecnodoc.com.ar
Expert4Solution Profile:
http://www.experts4solutions.com/e4s/default/expert/6
