Making appadmin available to all users is very dangerous because appadmin allows you to write ANY python in the search string. It is a major vulnerability if you give other users access to it.
Instead of db.table.id>0 one can type for example [os.unlink[f] for f in os.listdir('./')]. Massimo On Jan 29, 12:11 am, mart <msenecal...@gmail.com> wrote: > Hey this is nice! Makes it easy to create a group of admins! :) > > Also, you can always make appAdmin open & available for your app to > all users (its trivial to do really), although i don't see any > benefit. hum.... come to think of it, its probably a bug. I like > Bruno's script better than handing the keys to everyone because you > can add filters and apply them to groups. > > Mart :) > > On Jan 28, 8:16 am, Bruno Rocha <rochacbr...@gmail.com> wrote: > > > > > > > > > I use something like this: > > > </app/controllers/manage.py> > > @auth.requires_membership('admin') > > def index(): > > args = request.args > > title = 'Administration' > > if not args: > > link = UL(*[LI(A(tab,_href=URL(args=tab))) for tab in db.tables]) > > return dict(items=link,title=title) > > > if not args(1): > > i = 0 > > else: > > i =1 > > > for tab in db.tables: > > if tab==args(i): > > tb = db[tab] > > > if args(0)=='edit': > > form = crud.update(tb, args(2),next=URL(f='admin',args=args(1))) > > items = None > > titulo = 'Edit %s ' % args(i) > > else: > > form = crud.create(tb) > > rows = db().select(tb.ALL) > > items = SQLTABLE(rows,linkto='editar') > > titulo = 'Insert %s ' % args(i) > > > return dict(form=form,items=items,title=title) > > > </app/controllers/manage.py> > > > Bruno Rochahttp://about.me/rochacbruno/bio