@Anthony, would this decorator language example below be helpful to Jason? @auth.requires(lambda: not db((db.auth_membership.user_id == auth.user_id) & (db.auth_membership.group_id == db.auth_group.id) & (db.auth_group.role == 'admin') & (db.auth_group.organizationID == request.get_vars.specificOrganizationID)).isempty())
The thing about the auth.requires in decorator is that wrong person can't even get to controller. Whereas I think common_filter will let user get to records they are authorized via controller for but then can start stepping through parms in the address window to see other organization's data. Alex Glaros -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
