[web2py:22352] Update and delete

Fri, 22 May 2009 02:45:34 -0700 

I have my authentication, authorization, create and read functions
working, however, I don't get update and delete function to function
without flaws. The problem lies in the fact that the vistor can tamper
with the URL in the browser's address bar.


In a view I have got:


<td>
  {{=A(row.adressoort,_href=URL(r=request,f='update_address',args=
[row.id]))}}
</td>


The update_address function reads like:


@auth.requires_membership('user_3')
def update_address():
    record_id=request.args[0]
    record=db(db.adres.id==record_id).select(db.adres.bedrijf)
    if record==[]:
        redirect(URL(r=request,f='crud_address'))
    elif not record[0].bedrijf==auth.user.bedrijf:
        redirect(URL(r=request,f='crud_address'))
    form=crud.update(db.adres,request.args[0])
    return dict(form=form)


When the user clicks the link in the view the correct record is
displayed, when the user tampers the arg in the URL two things happen:
if he changes the arg to a record_id of an existing record the elif
redirects to the crud_address function, however, when he changes the
arg to a record_id that is not in the database the following error
ticket is issued:


 Traceback (most recent call last):
  File "/Library/Python/2.5/site-packages/mockpy/gluon/restricted.py",
line 98, in restricted
  File "/Users/iannet/mockpy/applications/mock/controllers/crud.py",
line
41, in <module>
  File "/Library/Python/2.5/site-packages/mockpy/gluon/globals.py",
line
75, in <lambda>
  File "/Users/iannet/mockpy/gluon/tools.py", line 1049, in f
    return action(*a, **b)
  File "/Users/iannet/mockpy/applications/mock/controllers/crud.py",
line
31, in update_address
    elif not record[0].bedrijf==auth.user.bedrijf:
  File "/Library/Python/2.5/site-packages/mockpy/gluon/sql.py", line
2109,
in __getitem__
SyntaxError: SQLRows: no such row


So, if record==[]: is the cause of a syntax error, what is the correct
syntax of this statement?



Kind regards,

Annet.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to 
web2py+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to