It depends on the missing code but I do not think it is secure because this
@auth.requires_membership(session.group) will work even if session.group='Public' On Jul 3, 4:30 pm, Fauché JM <jm.fau...@free.fr> wrote: > hello, > In my application I have a function with Public and Privates ways, > Do you think it is secure to do like this: > > def index(): > if not session.group:session.group='Public' > redirect(URL(r=request,f='function')) > return dict() > > def fonction(): > ... > if session.group=='Public': > ... > form=there a form to choose a private group > if form.accepts...: > redirect(URL(r=request,f='sas')) > else: > ... > there accès to privates informations to the private > session.group > ... > .... > return dict(form=form,...) > > @auth.requires_membership(session.group) > def sas(): > session.flash="now you are in the private group %s" %session.group > redirect(URL(r=request,f='function')) > return dict() > > Thank you > Jean-Marc --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---