[web2py] Re: is there a way to use auth_permission to allow user to access records based upon field value?

Tue, 12 May 2015 07:45:09 -0700 

I deleted same question a few days ago but just noticed Richard replied 
before I deleted:

On Monday, May 11, 2015 at 7:20:27 AM UTC-7, Richard wrote:
>
> You need to enforce it at controller level... What I usually do it to 
> filter the record user can view base on their role... The drawback depends 
> of your exact requirement is that they only see in grid what they are 
> allowed to modify or access...
>
> But nothing prevent you to display all record and only block update, so 
> can see all records in grid and the read form, but can't edit...
>
> This can be achieved at 2 level, you can remove the "modify" button form 
> read form view with a simple if which check for the role of the user and 
> the state of the record and at the controller level where you redirect the 
> user over an unify error page, to make sure that user that tamper with url 
> can't access the record that way...
>
> Here some code sample :
>
> # modify button
>  
> {{if auth.has_permission('update', request.args(0)):}}
>     {{=A(I(_class='icon-edit icon-large'), SPAN(' '), STRONG(T('Edit')),
>             _href=URL(c='yourcontroller', f='update', 
> args=(request.args(0), request.args(1))),
>             _style='text-decoration : none; color: #333;', _class='btn 
> btn-small')}}
> {{pass}}
>
> # controller
> if not auth.has_permission('update', request.args(0)):
>         redirect(URL(c='permission', f='not_authorized'))  # This page is 
> the same for each error message of the app when redirecting because 
> permissions issue which contains a details message and a message box that 
> the user can fill and send an email to request permissions changes to the 
> admin of the system.
>
> These 2 lines are the first lines of the controller... Notice the way I 
> use negative if to prevent having if else structure which would polute all 
> the reste of controller with indentation for this simple check...
>
> Richard
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to