Let's assume a table: db.define_table('SecretData', Field('data','string'), Field('file_owner', 'reference auth_user', default=auth. user_id) The table is already populated.
On the *View* side, the user is able to send an ajax request which contains the *id*, and some data in order to *update* a record he owns. In this scenario, isn't possible for a user to tamper the *id* variable (i.e. through javascript) and mess up with data from other users? How can I protect against this and enforce the update of the right record? Thank you. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.