Re: [web2py] Re: Restricting Access to database based on roles at the Database level.

> > The thing about the auth.requires in decorator is that wrong person can't > even get to controller. > He said he didn't want to rely on restricting access at the controller level (perhaps there are multiple controllers/action, and it would be difficult to keep track of the access rights at

Re: [web2py] Re: Restricting Access to database based on roles at the Database level.

On Sunday, May 17, 2015 at 4:09:35 PM UTC-4, Encompass solutions wrote: > > Each role in the system is going to need different tables. To improve > security it would be good to restrict the roles to only have access to > certain tables, rather than depend on only the controller to enforce this

Re: [web2py] Re: Restricting Access to database based on roles at the Database level.

@Anthony, would this decorator language example below be helpful to Jason? @auth.requires(lambda: not db((db.auth_membership.user_id == auth.user_id) & (db.auth_membership.group_id == db.auth_group.id) & (db.auth_group.role == 'admin') & (db.auth_group.organizationID == request.get_vars.specifi

Re: [web2py] Re: Restricting Access to database based on roles at the Database level.

Each role in the system is going to need different tables. To improve security it would be good to restrict the roles to only have access to certain tables, rather than depend on only the controller to enforce this kind of database access. This is useful when trying to make sure there are no SQL i

[web2py] Re: Restricting Access to database based on roles at the Database level.

The Auth records are in the database, but you don't have to give users any direct access to the Auth tables (there is none by default). Can you explain your requirements in more detail? Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2p

[web2py] Re: Restricting Access to database based on roles at the Database level.

Wow guys. Thanks a lot! I thought auth needed database access, am I right or is this something that we can call because it's in the session files. If so, I suppose we have to keep sessions in it's own DB or in files right? BR, Jason Brower On Friday, May 15, 2015 at 12:34:07 AM UTC+3, Anthon

[web2py] Re: Restricting Access to database based on roles at the Database level.

If you need to restrict access to particular tables or particular sets of records within tables based on auth roles, you can use the multi-tenancy or common filters

[web2py] Re: Restricting Access to database based on roles at the Database level.

Normally roles are stored in database so you have a chicken and egg problem. You can have two databases. One for users and one for other data. You can conditionally instantiate the other databases: if auth.has_membership('superhero'): db2 = DAL(.) On Thursday, 14 May 2015 04:58:20 UTC-5, En