>
> The thing about the auth.requires in decorator is that wrong person can't
> even get to controller.
>
He said he didn't want to rely on restricting access at the controller
level (perhaps there are multiple controllers/action, and it would be
difficult to keep track of the access rights at that level).
> Whereas I think common_filter will let user get to records they are
> authorized via controller for but then can start stepping through parms in
> the address window to see other organization's data.
>
No, common_filter is defined as part of the model -- as long as it is based
on the user's Auth roles, manipulating HTTP requests can't do anything to
override the filter. For example:
db.define_table('private', ...,
common_filter=lambda q: db.private.id > 0 if auth.
has_membership('admin') else \
db.private.id < 0)
For non-admin users, the db.private table will appear to contain no records
(does not depend on the manipulation of any request parameters). This will
prevent reading, updating, and deleting, though it doesn't do anything to
prevent creation of new records. To prevent creation, you could use a
_before_insert callback.
Anthony
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
