Hello,
How can I restrict access via RestAPI for the user such that they can only
get their own records (those that have the field user_id matching their
user id)?
For example, I have a a table named 'collections' that has a 'user_id'
field, and I want my users to get only the collections that they created.
If they try to get someone else's collection, then they should get a 'not
authorized' response.
As an extension, I would also like to allow for users to be able to get
someone else's collection if its status is equal to 'PUBLIC'.
Here's the definition of my collections table:
db.define_table('collections',
Field('user_id', db.auth_user, notnull=True),
Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code',
db.language._format), notnull=True),
Field('title', length=512, notnull=True),
Field('description', 'text', notnull=False),
Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True,
default='PRIVATE'),
Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True,
default='NONE'))
Thanks,
--
Alexei
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/22947111-cd14-46ed-b3d1-242721097bea%40googlegroups.com.
