Thanks, awesome answer ! I think I'm gonna go with the table callback method, I kind of feel safer when doing security checks closer to the DB (maybe I'm wrong...)
- For the second solution (Authorization), as I am using a sqlform.grid, I need to provide a query and not rows. So I tried to remove the select part and I get back a set. However the grid does not seems to accept set eithers. (Test in the shell) In [6] : print db(auth.accessible_query('owner', db.feed,2)) <Set (feed.id IN (SELECT auth_permission.record_id FROM auth_permission, auth_membership WHERE ((((auth_membership.user_id = 2) AND (auth_membership. group_id = auth_permission.group_id)) AND (auth_permission.name = 'owner')) AND (auth_permission.table_name = 'feed'))))> (actual grid code) query=db(auth.accessible_query('owner', db.feed)) grid = SQLFORM.grid(query) return locals() > Exception : File "/home/mdipierro/make_web2py/web2py/gluon/sqlhtml.py", line 1882, ingrid TypeError: reduce() of empty sequence with no initial value - Just to be sure I understant correctly, If you do some filtering on the grid to display only what the user is allowed to edit with a query, web2py will ensure that the user can not forge a query that would edit another entry that is not part of the filtered query right ? Thanks again for your help! Le vendredi 22 mars 2013 00:53:40 UTC+1, luismurciano a écrit : > > Hi > > There are some easy ways to do it. > If the owner reference is in the row you can use before and after > callbacks<http://www.web2py.com/books/default/chapter/29/06#before-and-after-callbacks> > something > like: > > db.mytable._before_update.append(lambda s,r: True if r.owner == > auth.user_id else False) > > The True value cancels the insert > > Also you can use > Authorization<http://www.web2py.com/books/default/chapter/29/09#Authorization> > > rows = db(auth.accessible_query('update', db.mytable, user_id)) > .select(db.mytable.ALL) > > I like the Authorization choice because its a nice abstraction and you > dont need to mess with forms or tables. > > I hope it helps. > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.