differentiate between Unauthorized and Forbidden #29
Milestone
Comments
|
Just a draft of how it could be handled in the future: def can(self, action: str) -> bool:
if not (user := current.user.get()):
return Reason.Deny("not loggin'ed", 401)
if user and user["access"]:
if not ("root" in user["access"] or f"{self.moduleName}-{action]" in user["access"]):
return Reason.Deny("missing permissions: root, action-edit", 403)
if user and not user["has_2fa_enabled"]:
return Reason.Deny("you have to setup 2FA!")
return Reason.Allow("You're nice and welcome!") |
sveneberth
pushed a commit
to sveneberth/viur-core
that referenced
this issue
Jan 30, 2025
…-bugfix_skelview Update skelview.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In several placed in core (especially in the edit-methods) we are currently raising an Unauthorized exception.
But unauthorized means you have submitted no or invalid credentials - If you are logged in and have not the move-/edit-access it's simply just forbidden to you.
So we have to differentiate between not logged in (Unauthorized) and no access (Forbidden).
Originally annotation: https://github.com/viur-framework/viur-core/pull/28/files/dd4287cc596af96f9d39d02c24621339134f098c..1b34887b40e9d3ee6baa71fb4f69771a1a9339f5#r437333030
The text was updated successfully, but these errors were encountered: