@auth.requires(condition) First checks that user is logged in then it check whether the condition is true or False. This behavior has changed but it was undocumented.
I guess next question is how do you do what you need to do. I thought about it and I pushed this to trunk: @auth.requires(request.client=='127.0.0.1' or auth.user,login=False) The login=False skips the pre-check on user login. Massimo On Oct 17, 1:19 am, "Ray (a.k.a. Iceberg)" <iceb...@21cn.com> wrote: > Thanks for the workaround, I might take that. But I will still argue > that: > > 1. Does authentication have to mean logged-in, or can it be something > else, such as "accessing from localhost", "accessing via ajax", etc.? > > 2. if @auth already means authentication, why there is still an > auth.requires_login() which implemented as > auth.requires(auth.is_logged_in())? Shouldn't this implementation > imply that auth.requires() does not check is_logged_in()? All in all, > what is auth.requires()'s semantics? > > Regards, > Ray > > On Oct 17, 1:41 pm, Bruno Rocha <rochacbr...@gmail.com> wrote: > > > > > > > > > I think it should be, because @auth means authentication, so needs > > authenticated user. > > > In your case I should do differently. > > > def secret(): > > if not request.client == '127.0.0.1' or not auth.user: > > redirect(URL('default', 'user', args='login')) > > return {"": "some cool stuff"}