> > well I didn't try to give them excess but sounds logical. nevertheless I > didn't want to give them access to that. But I don't want to access each > article by myself just because someone did a spelling mistake or wants to > add a little content. >
A very simple rights restriction example for editing Articles: def owns_article(arg=None): return db((db.Article.owner_id==auth.user_id)&\ (db.Article.id==request.args(1))).count() > 0 @auth.requires(owns_article) def edit_article(): form = SQLFORM(db.Article, request.args(1)) return dict(form=form) You must point users to the edit page with urls like URL(f="edit_article", args=["Article", <article_id>]) And add a Field("owner_id", "reference auth_user", default=auth.user_id, writable=False) to the Article table definition web2py also provides an API for fine-grained access control, covered here: http://www.web2py.com/books/default/chapter/29/09 --