Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #422 (closed defect: fixed)

Opened 13 years ago

Last modified 12 years ago

[PATCH] SecureResource isn't secure

Reported by: ksenia Owned by: anonymous
Priority: high Milestone: 0.9
Component: Identity Version: 0.9a6
Severity: normal Keywords:
Cc:

Description

When controller class is a subclass of SecureResource?, it doesn't work as expected - the access is not restricted. Example of the controller:

class BaseController(identity.SecureResource):
    require = identity.not_anonymous()
    @turbogears.expose(template='.templates.dashboard')
    def index(self):
        return dict()

Attachments

predicate.patch Download (569 bytes) - added by ksenia 13 years ago.

Change History

Changed 13 years ago by ksenia

comment:1 Changed 13 years ago by Max <ischenko@…>

  • Status changed from new to closed
  • Resolution set to fixed

Committed as of r538.

comment:2 Changed 13 years ago by anonymous

  • Status changed from closed to reopened
  • Resolution fixed deleted

comment:3 Changed 13 years ago by ksenia

The code is changed again in r541, incorrectly, I think.

comment:4 Changed 13 years ago by Jeff Watkins

  • Status changed from reopened to closed
  • Resolution set to fixed

The correct check is:

if predicate is None or ...

The decorated function will be executed if there is NO predicate to test. Otherwise, if you had a @require decorator (or a SecureResource?) with no predicate, you could never execute the function. Besides, if you say it aloud, it makes sense: "require none" or "require nothing".

This was corrected in r547.

Note: See TracTickets for help on using tickets.