>  Cecil Westerhof schrieb:

> > I have been playing with TG for two days now and I must say that untill
>  > now I like it. ;-}

>  > With the identity module you go to a login page when you do not have
>  > enough credentials. Is it possible to make a difference between a user
>  > that is not logged in (login page) and a logged in user that has not
>  > enough credentials (entry denied)?

>  Yes, you can, but this is a feature of the identity framework that isn't
>  really documented well (i.e not at all ;-)).

>  You can set the configuration setting 'identity.failure_url' to a
>  callable, which will get evaluated every time an IdentityFailure
>  exception occurs. In this function you can then check

>  a) if the the user is anonymous (not logged in)
>  b) what the error message(s) of the IdentityFailure exception are

>  and then return different URLs depending on this info.

>  Example (untested):

>  def failure_url():
>      if (identity.current.not_anonymous and
>         'foo' in cherrypy.request.identity_errors):
>         return url('/access_denied')
>      return url('/login')

>  See the code for 'turbogears.identity.exceptions' (set_identity_errors,
>  IdentityFailure) and turbogears.identity.conditions (Predicate, require)
>  for particulars.

>  As a simpler, but less general alternative, you can test for the
>  required permissions *within* your controller method and then just do
>  the redirect yourself. If you are just redirecting to a "Access denied"
>  page, you probably don't need to care about retaining request parameters
>  across redirects.

>  Example (also untested):

>  class MyController(controllers.Controller, identity.SecureResource):
>      @expose('bla')
>      def bla(self):
>          if not 'foo' in identity.current.permissions:
>              if identity.current.not_anonymous:
>                  redirect('/access_denied')
>              raise identity.IdentityFailure