for example auth.requires(request.ajax)
you can do @auth.requires(auth.user and (auth.has_membership(role='Admin') or \ auth.has_membership(role='Soporte') or \ auth.has_membership(role='Consulta_Soporte') or \ auth.has_membership(role='Consulta_Clientes'))) Anyway, if this turns out to be a major backward compatibility issue for you, I will revert it today. Massimo On Mar 17, 11:53 am, Martín Mulone <mulone.mar...@gmail.com> wrote: > The problem was that I remove the others conditions (to make it more basic), > this is the code that brings the fail: > > @auth.requires(auth.has_membership(role='Admin') or \ > auth.has_membership(role='Soporte') or \ > auth.has_membership(role='Consulta_Soporte') or \ > auth.has_membership(role='Consulta_Clientes') ) > > or there are a better way?. I only can imagine that auth require to be > logged-in, what other kind of authorization we have without login? > > 2011/3/17 Massimo Di Pierro <massimo.dipie...@gmail.com> > > > > > > > > > > > I considered this a bug fix but I am open to discussion. > > > This > > > @auth.requires(auth.has_membership(role='Admin')) > > > should have been > > > @auth.requires_membership(role='Admin') > > > OR > > > @auth.requires(auth.user and auth.has_membership(role='Admin')) > > > Before > > > @auth.requires(...) > > > was assuming a logged-in user thus settings a restriction on the > > usage. auth.requires may be used for example restrict access based on > > some other condition than login. Or did we say auth.requires always > > requires login? > > > Massimo > > > On Mar 17, 10:25 am, Jonathan Lundell <jlund...@pobox.com> wrote: > > > On Mar 17, 2011, at 7:29 AM, Martín Mulone wrote: > > > > > @auth.requires(auth.has_membership(role='Admin')) > > > > def index(): > > > > return dict() > > > > > No longer redirect to login page, instead show not authorized message. > > This only happen in trunk. > > > > The two lines marked below were removed when Massimo put in the 403-error > > handling for RESTful requests, but the commit message doesn't mention them. > > Was that an accident? > > > > def requires(self, condition): > > > """ > > > decorator that prevents access to action if not logged in > > > """ > > > > def decorator(action): > > > > def f(*a, **b): > > > if self.settings.allow_basic_login_only and not > > self.basic(): <<<<<<<<<<< > > > return > > call_or_redirect(self.settings.on_failed_authorization) <<<<<<<<<<< > > > > if not condition: > > > if not self.basic() and not self.is_logged_in(): > > > request = self.environment.request > > > next = URL(r=request,args=request.args, > > > vars=request.get_vars) > > > self.environment.session.flash = > > self.environment.response.flash > > > return > > call_or_redirect(self.settings.on_failed_authentication, > > > self.settings.login_url + > > \ > > > '?_next='+urllib.quote(next)) > > > else: > > > self.environment.session.flash = \ > > > self.messages.access_denied > > > return > > call_or_redirect(self.settings.on_failed_authorization) > > > return action(*a, **b) > > > f.__doc__ = action.__doc__ > > > f.__name__ = action.__name__ > > > f.__dict__.update(action.__dict__) > > > return f > > > > return decorator > > -- > Pablo Martín Mulone (mar...@tecnodoc.com.ar)http://www.tecnodoc.com.ar/ > > My blog:http://martin.tecnodoc.com.ar > Expert4Solution Profile:http://www.experts4solutions.com/e4s/default/expert/6