for example

auth.requires(request.ajax)

you can do

@auth.requires(auth.user and (auth.has_membership(role='Admin') or \
               auth.has_membership(role='Soporte') or \
               auth.has_membership(role='Consulta_Soporte') or \
               auth.has_membership(role='Consulta_Clientes')))

Anyway, if this turns out to be a major backward compatibility issue
for you, I will revert it today.

Massimo

On Mar 17, 11:53 am, Martín Mulone <mulone.mar...@gmail.com> wrote:
> The problem was that I remove the others conditions (to make it more basic),
> this is the code that brings the fail:
>
> @auth.requires(auth.has_membership(role='Admin') or \
>                auth.has_membership(role='Soporte') or \
>                auth.has_membership(role='Consulta_Soporte') or \
>                auth.has_membership(role='Consulta_Clientes') )
>
> or there are a better way?. I only can imagine that auth require to be
> logged-in, what other kind of authorization we have without login?
>
> 2011/3/17 Massimo Di Pierro <massimo.dipie...@gmail.com>
>
>
>
>
>
>
>
>
>
> > I considered this a bug fix but I am open to discussion.
>
> > This
>
> > @auth.requires(auth.has_membership(role='Admin'))
>
> > should have been
>
> > @auth.requires_membership(role='Admin')
>
> > OR
>
> > @auth.requires(auth.user and auth.has_membership(role='Admin'))
>
> > Before
>
> > @auth.requires(...)
>
> > was assuming a logged-in user thus settings a restriction on the
> > usage. auth.requires may be used for example restrict access based on
> > some other condition than login. Or did we say auth.requires always
> > requires login?
>
> > Massimo
>
> > On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote:
> > > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote:
>
> > > > @auth.requires(auth.has_membership(role='Admin'))
> > > > def index():
> > > >     return dict()
>
> > > > No longer redirect to login page, instead show not authorized message.
> > This only happen in trunk.
>
> > > The two lines marked below were removed when Massimo put in the 403-error
> > handling for RESTful requests, but the commit message doesn't mention them.
> > Was that an accident?
>
> > >     def requires(self, condition):
> > >         """
> > >         decorator that prevents access to action if not logged in
> > >         """
>
> > >         def decorator(action):
>
> > >             def f(*a, **b):
> > >                 if self.settings.allow_basic_login_only and not
> > self.basic():           <<<<<<<<<<<
> > >                     return
> > call_or_redirect(self.settings.on_failed_authorization)      <<<<<<<<<<<
>
> > >                 if not condition:
> > >                     if not self.basic() and not self.is_logged_in():
> > >                         request = self.environment.request
> > >                         next = URL(r=request,args=request.args,
> > >                                    vars=request.get_vars)
> > >                         self.environment.session.flash =
> > self.environment.response.flash
> > >                         return
> > call_or_redirect(self.settings.on_failed_authentication,
> > >                                                 self.settings.login_url +
> > \
>
> > '?_next='+urllib.quote(next))
> > >                     else:
> > >                         self.environment.session.flash = \
> > >                             self.messages.access_denied
> > >                         return
> > call_or_redirect(self.settings.on_failed_authorization)
> > >                 return action(*a, **b)
> > >             f.__doc__ = action.__doc__
> > >             f.__name__ = action.__name__
> > >             f.__dict__.update(action.__dict__)
> > >             return f
>
> > >         return decorator
>
> --
> Pablo Martín Mulone (mar...@tecnodoc.com.ar)http://www.tecnodoc.com.ar/
>
> My blog:http://martin.tecnodoc.com.ar
> Expert4Solution Profile:http://www.experts4solutions.com/e4s/default/expert/6

Reply via email to