Merge pull request #22 from deignacio/develop

correct roles_* decorator signature expectations

example/app.py

@@ -28,6 +28,7 @@ def create_roles():
 def create_users():
     for u in  (('matt@lp.com', 'password', ['admin'], True),
                ('joe@lp.com', 'password', ['editor'], True),
+               ('dave@lp.com', 'password', ['admin', 'editor'], True),
                ('jill@lp.com', 'password', ['author'], True),
                ('tiya@lp.com', 'password', [], False)):
         current_app.security.datastore.create_user(
@@ -96,6 +97,11 @@ def create_app(auth_config):
     def admin():
         return render_template('index.html', content='Admin Page')
 
+    @app.route('/admin_and_editor')
+    @roles_required('admin', 'editor')
+    def admin_and_editor():
+        return render_template('index.html', content='Admin and Editor Page')
+
     @app.route('/admin_or_editor')
     @roles_accepted('admin', 'editor')
     def admin_or_editor():

flask_security/decorators.py

@@ -93,7 +93,7 @@ def roles_required(*roles):
 
     :param args: The required roles.
     """
-    perm = Permission(*[RoleNeed(role) for role in roles])
+    perms = [Permission(RoleNeed(role)) for role in roles]
 
     def wrapper(fn):
         @wraps(fn)
@@ -102,12 +102,12 @@ def roles_required(*roles):
                 login_view = app.security.login_manager.login_view
                 return redirect(login_url(login_view, request.url))
 
-            if perm.can():
-                return fn(*args, **kwargs)
-
-            app.logger.debug('Identity does not provide the '
-                                     'roles: %s' % [r for r in roles])
-            return redirect(request.referrer or '/')
+            for perm in perms:
+                if not perm.can():
+                    app.logger.debug('Identity does not provide the '
+                                             'roles: %s' % [r for r in roles])
+                    return redirect(request.referrer or '/')
+            return fn(*args, **kwargs)
         return decorated_view
     return wrapper
 
@@ -126,7 +126,7 @@ def roles_accepted(*roles):
 
     :param args: The possible roles.
     """
-    perms = [Permission(RoleNeed(role)) for role in roles]
+    perm = Permission(*[RoleNeed(role) for role in roles])
 
     def wrapper(fn):
         @wraps(fn)
@@ -135,9 +135,8 @@ def roles_accepted(*roles):
                 login_view = app.security.login_manager.login_view
                 return redirect(login_url(login_view, request.url))
 
-            for perm in perms:
-                if perm.can():
-                    return fn(*args, **kwargs)
+            if perm.can():
+                return fn(*args, **kwargs)
 
             r1 = [r for r in roles]
             r2 = [r.name for r in current_user.roles]

tests/functional_tests.py

@@ -84,6 +84,16 @@ class DefaultSecurityTests(SecurityTest):
         r = self._get('/admin', follow_redirects=True)
         self.assertIn('<input id="next"', r.data)
 
+    def test_multiple_role_required(self):
+        for user in ("matt@lp.com", "joe@lp.com"):
+            self.authenticate(user)
+            r = self._get("/admin_and_editor", follow_redirects=True)
+            self.assertIsHomePage(r.data)
+
+        self.authenticate('dave@lp.com')
+        r = self._get("/admin_and_editor")
+        self.assertIn('Admin and Editor Page', r.data)
+
     def test_token_auth_via_querystring_valid_token(self):
         r = self._get('/token?auth_token=123abc')
         self.assertIn('Token Authentication', r.data)