I realize T2 is deprecated, but here's (http://www.mail-archive.com/ web2py@googlegroups.com/msg05280.html) further reference to the behaviour I'm expecting.
" now give yourself back permission *only* to select record in table [app]_user group_id=auth.add_group(role='Manager') auth.add_membership(group_id,auth.user.id) auth.add_permission(group_id,'select','[app]_user') " On Feb 15, 5:04 pm, rocket <dean.stam...@gmail.com> wrote: > I found this > thread<http://www.mail-archive.com/web2py@googlegroups.com/msg17851.html> > which > seems to indicate that something was being done about this, but it still > seems like only create, read, update and delete are actually being enforced > by crud.settings.auth=auth. This is contrary to the book which says > > The permisions names enforced by : > > 1. > > crud.settings.auth = auth > > are "read", "create", "update", "delete", "select", "impersonate". > > Any insight into this? What's the best practices approach to restricting > all access then granting only what's needed?
