I deleted same question a few days ago but just noticed Richard replied before I deleted:
On Monday, May 11, 2015 at 7:20:27 AM UTC-7, Richard wrote: > > You need to enforce it at controller level... What I usually do it to > filter the record user can view base on their role... The drawback depends > of your exact requirement is that they only see in grid what they are > allowed to modify or access... > > But nothing prevent you to display all record and only block update, so > can see all records in grid and the read form, but can't edit... > > This can be achieved at 2 level, you can remove the "modify" button form > read form view with a simple if which check for the role of the user and > the state of the record and at the controller level where you redirect the > user over an unify error page, to make sure that user that tamper with url > can't access the record that way... > > Here some code sample : > > # modify button > > {{if auth.has_permission('update', request.args(0)):}} > {{=A(I(_class='icon-edit icon-large'), SPAN(' '), STRONG(T('Edit')), > _href=URL(c='yourcontroller', f='update', > args=(request.args(0), request.args(1))), > _style='text-decoration : none; color: #333;', _class='btn > btn-small')}} > {{pass}} > > # controller > if not auth.has_permission('update', request.args(0)): > redirect(URL(c='permission', f='not_authorized')) # This page is > the same for each error message of the app when redirecting because > permissions issue which contains a details message and a message box that > the user can fill and send an email to request permissions changes to the > admin of the system. > > These 2 lines are the first lines of the controller... Notice the way I > use negative if to prevent having if else structure which would polute all > the reste of controller with indentation for this simple check... > > Richard > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.