The problem was that I remove the others conditions (to make it more basic),
this is the code that brings the fail:

@auth.requires(auth.has_membership(role='Admin') or \
               auth.has_membership(role='Soporte') or \
               auth.has_membership(role='Consulta_Soporte') or \
               auth.has_membership(role='Consulta_Clientes') )

or there are a better way?. I only can imagine that auth require to be
logged-in, what other kind of authorization we have without login?

2011/3/17 Massimo Di Pierro <massimo.dipie...@gmail.com>

> I considered this a bug fix but I am open to discussion.
>
> This
>
> @auth.requires(auth.has_membership(role='Admin'))
>
> should have been
>
> @auth.requires_membership(role='Admin')
>
> OR
>
> @auth.requires(auth.user and auth.has_membership(role='Admin'))
>
> Before
>
> @auth.requires(...)
>
> was assuming a logged-in user thus settings a restriction on the
> usage. auth.requires may be used for example restrict access based on
> some other condition than login. Or did we say auth.requires always
> requires login?
>
> Massimo
>
>
>
>
>
> On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote:
> > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote:
> >
> > > @auth.requires(auth.has_membership(role='Admin'))
> > > def index():
> > >     return dict()
> >
> > > No longer redirect to login page, instead show not authorized message.
> This only happen in trunk.
> >
> > The two lines marked below were removed when Massimo put in the 403-error
> handling for RESTful requests, but the commit message doesn't mention them.
> Was that an accident?
> >
> >     def requires(self, condition):
> >         """
> >         decorator that prevents access to action if not logged in
> >         """
> >
> >         def decorator(action):
> >
> >             def f(*a, **b):
> >                 if self.settings.allow_basic_login_only and not
> self.basic():           <<<<<<<<<<<
> >                     return
> call_or_redirect(self.settings.on_failed_authorization)      <<<<<<<<<<<
> >
> >                 if not condition:
> >                     if not self.basic() and not self.is_logged_in():
> >                         request = self.environment.request
> >                         next = URL(r=request,args=request.args,
> >                                    vars=request.get_vars)
> >                         self.environment.session.flash =
> self.environment.response.flash
> >                         return
> call_or_redirect(self.settings.on_failed_authentication,
> >                                                 self.settings.login_url +
> \
> >
> '?_next='+urllib.quote(next))
> >                     else:
> >                         self.environment.session.flash = \
> >                             self.messages.access_denied
> >                         return
> call_or_redirect(self.settings.on_failed_authorization)
> >                 return action(*a, **b)
> >             f.__doc__ = action.__doc__
> >             f.__name__ = action.__name__
> >             f.__dict__.update(action.__dict__)
> >             return f
> >
> >         return decorator
>



-- 
Pablo Martín Mulone (mar...@tecnodoc.com.ar)
http://www.tecnodoc.com.ar/

My blog: http://martin.tecnodoc.com.ar
Expert4Solution Profile:
http://www.experts4solutions.com/e4s/default/expert/6

Reply via email to