i meant to say a copy of admin (controller and view with a different name) is all that it takes to open up admin and make available (which is what I meant as "maybe a bug"). I'm just mentioning because that's what I did when I wanted to get my hands dirty and take admin apart to see how it works and what I could salvage to make something similar for users who wanted better control over some tables that they kind of owned. By doing so, I didn't sufficiently break the renamed appAdmin which for a while had been left open.
Mart :) On Jan 29, 9:35 am, Massimo Di Pierro <massimo.dipie...@gmail.com> wrote: > Making appadmin available to all users is very dangerous because > appadmin allows you to write ANY python in the search string. It is a > major vulnerability if you give other users access to it. > > Instead of db.table.id>0 one can type for example [os.unlink[f] for f > in os.listdir('./')]. > > Massimo > > On Jan 29, 12:11 am, mart <msenecal...@gmail.com> wrote: > > > > > > > > > Hey this is nice! Makes it easy to create a group of admins! :) > > > Also, you can always make appAdmin open & available for your app to > > all users (its trivial to do really), although i don't see any > > benefit. hum.... come to think of it, its probably a bug. I like > > Bruno's script better than handing the keys to everyone because you > > can add filters and apply them to groups. > > > Mart :) > > > On Jan 28, 8:16 am, Bruno Rocha <rochacbr...@gmail.com> wrote: > > > > I use something like this: > > > > </app/controllers/manage.py> > > > @auth.requires_membership('admin') > > > def index(): > > > args = request.args > > > title = 'Administration' > > > if not args: > > > link = UL(*[LI(A(tab,_href=URL(args=tab))) for tab in db.tables]) > > > return dict(items=link,title=title) > > > > if not args(1): > > > i = 0 > > > else: > > > i =1 > > > > for tab in db.tables: > > > if tab==args(i): > > > tb = db[tab] > > > > if args(0)=='edit': > > > form = crud.update(tb, args(2),next=URL(f='admin',args=args(1))) > > > items = None > > > titulo = 'Edit %s ' % args(i) > > > else: > > > form = crud.create(tb) > > > rows = db().select(tb.ALL) > > > items = SQLTABLE(rows,linkto='editar') > > > titulo = 'Insert %s ' % args(i) > > > > return dict(form=form,items=items,title=title) > > > > </app/controllers/manage.py> > > > > Bruno Rochahttp://about.me/rochacbruno/bio