Let's assume a table:
db.define_table('SecretData',
Field('data','string'),
Field('file_owner', 'reference auth_user', default=auth.
user_id)
The table is already populated.
On the *View* side, the user is able to send an ajax request which contains
the *id*, and some data in order to *update* a record he owns.
In this scenario, isn't possible for a user to tamper the *id* variable
(i.e. through javascript) and mess up with data from other users?
How can I protect against this and enforce the update of the right record?
Thank you.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
