[web2py] Re: django admin like app/plugin in web2py

Sat, 29 Jan 2011 14:31:00 -0800 

i meant to say a copy of admin (controller and view with a different
name) is all that it takes to open up admin and make available (which
is what I meant as "maybe a bug"). I'm just mentioning because that's
what I did when I wanted to get my hands dirty and take admin apart to
see how it works and what I could salvage to make something similar
for users who wanted better control over some tables that they kind of
owned. By doing so,  I didn't sufficiently break the renamed appAdmin
which for a while had been left open.

Mart :)



On Jan 29, 9:35 am, Massimo Di Pierro <massimo.dipie...@gmail.com>
wrote:
> Making appadmin available to all users is very dangerous because
> appadmin allows you to write ANY python in the search string. It is a
> major vulnerability if you give other users access to it.
>
> Instead of db.table.id>0 one can type for example [os.unlink[f] for f
> in os.listdir('./')].
>
> Massimo
>
> On Jan 29, 12:11 am, mart <msenecal...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Hey this is nice! Makes it easy to create a group of admins! :)
>
> > Also, you can always make appAdmin open & available for your app to
> > all users (its trivial to do really), although i don't see any
> > benefit. hum.... come to think of it, its probably a bug. I like
> > Bruno's script better than handing the keys to everyone because you
> > can add filters and apply them to groups.
>
> > Mart :)
>
> > On Jan 28, 8:16 am, Bruno Rocha <rochacbr...@gmail.com> wrote:
>
> > > I use something like this:
>
> > > </app/controllers/manage.py>
> > > @auth.requires_membership('admin')
> > > def index():
> > >     args = request.args
> > >     title = 'Administration'
> > >     if not args:
> > >         link = UL(*[LI(A(tab,_href=URL(args=tab))) for tab in db.tables])
> > >         return dict(items=link,title=title)
>
> > >     if not args(1):
> > >         i = 0
> > >     else:
> > >         i =1
>
> > >     for tab in db.tables:
> > >         if tab==args(i):
> > >             tb = db[tab]
>
> > >     if args(0)=='edit':
> > >         form = crud.update(tb, args(2),next=URL(f='admin',args=args(1)))
> > >         items = None
> > >         titulo = 'Edit %s ' % args(i)
> > >     else:
> > >         form = crud.create(tb)
> > >         rows = db().select(tb.ALL)
> > >         items = SQLTABLE(rows,linkto='editar')
> > >         titulo = 'Insert %s ' % args(i)
>
> > >     return dict(form=form,items=items,title=title)
>
> > > </app/controllers/manage.py>
>
> > > Bruno Rochahttp://about.me/rochacbruno/bio

Reply via email to