| | 149 | === auth.permission.fail === |
| | 150 | |
| | 151 | In case of failure, a well-defined response action must take place: |
| | 152 | |
| | 153 | - in interactive formats: |
| | 154 | - the user should be informed that he has insufficient permissions (if already logged-in) |
| | 155 | - the user should be requested to login (+forwarded to the login page) |
| | 156 | - in non-interactive formats |
| | 157 | - the client must receive a HTTP 401 (Authorization Required) error if not logged-in in order to trigger an authentication attempt |
| | 158 | - the client must receive a HTTP 403 (Forbidden) error code to cancel its attempt properly |
| | 159 | |
| | 160 | All this is covered by the {{{auth.permission.fail()}}} method: |
| | 161 | |
| | 162 | {{{ |
| | 163 | authorised = auth.shn_has_permission("delete", db.my_table) |
| | 164 | if not authorised: |
| | 165 | auth.permission.fail() |
| | 166 | }}} |
| | 167 | |
| | 168 | For interactive modes, you can set the destinations for redirection before calling {{{auth.permission.fail()}}}: |
| | 169 | |
| | 170 | - {{{auth.permission.homepage = URL(...)}}} for the case where the user is logged-in, but has insufficient privileges (defaults to {{{default/index}}}). |
| | 171 | - {{{auth.permission.loginpage = URL(...)}}} for the case where the user is not logged-in (defaults to {{{default/user/login}}}). |
| | 172 | |
| | 173 | Example: redirect to {{{my/index}}} rather than to {{{default/index}}} in case of insufficient privileges of an authenticated user: |
| | 174 | |
| | 175 | {{{ |
| | 176 | authorised = auth.shn_has_permission("delete", db.my_table) |
| | 177 | if not authorised: |
| | 178 | auth.permission.homepage = URL(r=request, c="my", f="index") |
| | 179 | auth.permission.fail() |
| | 180 | }}} |
