Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2063 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

Can't use @require decorator and require property in the same controller.

Reported by: radityo Owned by: Gustavo
Priority: normal Milestone: 2.0b1
Component: TurboGears Version: trunk
Severity: minor Keywords:
Cc:

Description

( Posted on  http://groups.google.com/group/turbogears-trunk/browse_thread/thread/bb3915e8dfb8c8c )

In TG2b1 with tg.authorize I can do this:

    class SomeSecureController(SecureController):
        require = authorize.has_permission('onePermission')

        @expose('my_package.template.index')
        def index(self):
            # do something here

        @expose('my_package.template.add')
        @authorize.require(authorize.has_permission('specialPerm'))
        def do_things(self, **kw):
            # do other things here

But since TG2b2 with repoze.what it will throw an error:

    >>  @require(predicates.has_permission('specialPerm'))
    TypeError: 'has_permission' object is not callable 

How to replicate:

  1. Create new project using quickstart (I use 'Uji' as a project name and 'uji' as modul name)
  2. Modify controllers\secc.py:

change

from repoze.what.predicates import has_permission

to

from repoze.what.predicates import has_permission, is_user

and change

    @expose('uji.templates.index')
    def some_where(self):

to

    @expose('uji.templates.index')
    @require(is_user('editor'))
    def some_where(self):
  1. run server and open a page. it will throw:
    Error Traceback:
    ⇝ TypeError: 'has_permission' object is not callable
    Module ?:10 in <module>         view
    <<  from dbsprockets.saprovider import SAProvider
        from repoze.what import predicates
        from uji.controllers.secc import Secc
       
        class RootController(BaseController):
    >>  from uji.controllers.secc import Secc
    Module ?:12 in <module>         view
    <<  class Secc(BaseController):
            """Sample controller-wide authorization"""
    >>  class Secc(BaseController):
    Module ?:24 in Secc         view
    <<      @expose('uji.templates.index')
            @require(is_user('editor'))
            def some_where(self):
                """should be protected because of the require attr
    >>  @require(is_user('editor'))
    TypeError: 'has_permission' object is not callable
    

additional info:

__doc__  	'Sample controller-wide authorization'
__module__ 	'uji.controllers.secc'
index 	        <function index at 0xa91648c>
require 	<repoze.what.predicates.has_permission object at 0xa97f66c>

Change History

comment:1 Changed 10 years ago by Gustavo

  • Status changed from new to assigned
  • Owner changed from Gustavo Narea to Gustavo

Thanks for the report! I'm taking care of this.

comment:2 Changed 10 years ago by jorge.vargas

  • Milestone changed from 2.0 to 2.0b1

I'll really like to see this, a very normal use case is to required an authenticated user controller wide, and then a specific permission like "edit" on each method.

comment:3 Changed 10 years ago by mramm

  • Version changed from 1.9.x to trunk

comment:4 Changed 10 years ago by Gustavo

  • Status changed from assigned to closed
  • Resolution set to fixed

Fixed in [5868].

This is a pretty old bug and has been discovered recently thanks to radityo. It's caused by a namespace collision: "require" inside the controller refers to its "require" attribute, not the @require decorator.

Hence, the solution has been to rename that attribute to "_require":

    class SomeSecureController(BaseController):
        _require = predicates.has_permission('onePermission')

        @expose('my_package.template.index')
        def index(self):
            # do something here

        @expose('my_package.template.add')
        @authorize.require(predicates.has_permission('specialPerm'))
        def do_things(self, **kw):
            # do other things here
Note: See TracTickets for help on using tickets.