| 149 | === auth.permission.fail === |
| 150 | |
| 151 | In case of failure, a well-defined response action must take place: |
| 152 | |
| 153 | - in interactive formats: |
| 154 | - the user should be informed that he has insufficient permissions (if already logged-in) |
| 155 | - the user should be requested to login (+forwarded to the login page) |
| 156 | - in non-interactive formats |
| 157 | - the client must receive a HTTP 401 (Authorization Required) error if not logged-in in order to trigger an authentication attempt |
| 158 | - the client must receive a HTTP 403 (Forbidden) error code to cancel its attempt properly |
| 159 | |
| 160 | All this is covered by the {{{auth.permission.fail()}}} method: |
| 161 | |
| 162 | {{{ |
| 163 | authorised = auth.shn_has_permission("delete", db.my_table) |
| 164 | if not authorised: |
| 165 | auth.permission.fail() |
| 166 | }}} |
| 167 | |
| 168 | For interactive modes, you can set the destinations for redirection before calling {{{auth.permission.fail()}}}: |
| 169 | |
| 170 | - {{{auth.permission.homepage = URL(...)}}} for the case where the user is logged-in, but has insufficient privileges (defaults to {{{default/index}}}). |
| 171 | - {{{auth.permission.loginpage = URL(...)}}} for the case where the user is not logged-in (defaults to {{{default/user/login}}}). |
| 172 | |
| 173 | Example: redirect to {{{my/index}}} rather than to {{{default/index}}} in case of insufficient privileges of an authenticated user: |
| 174 | |
| 175 | {{{ |
| 176 | authorised = auth.shn_has_permission("delete", db.my_table) |
| 177 | if not authorised: |
| 178 | auth.permission.homepage = URL(r=request, c="my", f="index") |
| 179 | auth.permission.fail() |
| 180 | }}} |