Changes between Version 5 and Version 6 of UserGuidelines/Admin/Permissions/Rules
- Timestamp:
- 02/09/17 10:35:19 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
UserGuidelines/Admin/Permissions/Rules
v5 v6 104 104 ADMIN has all permissions (=auth.s3_has_permission is always True if the user is ADMIN) 105 105 106 auth.s3_has_role(ANONYMOUS) is always True (ANONYMOUS role is assigned to all users, even if not logged-in) 106 auth.s3_has_role(ANONYMOUS) is always True (ANONYMOUS role is assigned to all users, logged-in or not). 107 108 Logged-in users always have at least the same permissions as anonymous users (because they could gain them anyway by simply logging). 109 110 auth.s3_has_role(ANONYMOUS) is not a suitable means to differentiate between logged-in users and unauthenticated users (because it is always True). Instead, one should use one of the following alternatives: 111 - auth.s3_logged_in() (which performs an implicit HTTP BasicAuth if necessary), or 112 - auth.user!=None (if no implicit Authentication is desired), or 113 - auth.s3_has_role(AUTHENTICATED). 107 114 108 115 auth.s3_has_role(AUTHENTICATED) is always True when the user is logged in (AUTHENTICATED role is automatically assigned to the user when logged-in) 109 116 117 == Override == 118 119 It is possible to temporarily disable all authorization by setting auth.override=True. This setting applies until the end of the current request cycle. 120 121 This is useful in scripts and tests, but it should ''never'' be done in any permanent functions that could even possibly be exposed to the user. 110 122 == Session Ownership == 111 123
