is_available method needed #217
Assignees
Labels
Comments
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Both the
requires_permissionand the forthcomingrequires_rolesdecorators (in ModelView; see #179) should provide anis_availablemethod that returns True if a call to the decorated function will be allowed by the decorator under current conditions. Templates can use this to determine whether to show functionality to the user.Currently templates do their own testing using
obj.current_roles.roleorcurrent_auth.permissions.perm. This is risky because it can go wrong in either direction. Templates may incorrectly assume that the user has access to some functionality, or worse, templates may assume no access while the backend does in fact provide access, leading to security vulnerabilities. If templates use the same testing mechanism as the backend, we get closer to WYSIWYG UI, making it easier to spot misconfiguration.The text was updated successfully, but these errors were encountered: