I've found a behavior in 2.14.6 which makes me scratch my head. I have set auth.settings.everybody_group_id = 2
in order to make every user part of the "user" group (2). The auth_membership reflects this explicitely for each added user. I have granted several permissions to group 2, e.g. one identified by the constant PERM_READ in a table 'piece'. Now, if I call a controller without being logged in (so that auth.user_id == None), to my surprise auth.has_permission(PERM_READ, "piece", piece_id) returns True. If I do not set auth.settings.everybody_group_id, however, the same check returns False. So it seems that the "None" user implicitly gets group 2 permissions (without this being reflected in the membership table). Is this desired behavior? -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.