I found this thread<http://www.mail-archive.com/web2py@googlegroups.com/msg17851.html> which seems to indicate that something was being done about this, but it still seems like only create, read, update and delete are actually being enforced by crud.settings.auth=auth. This is contrary to the book which says
The permisions names enforced by : 1. crud.settings.auth = auth are "read", "create", "update", "delete", "select", "impersonate". Any insight into this? What's the best practices approach to restricting all access then granting only what's needed?
