Hi,
I've a function to edit a calendar item and I want to make sure that
only an admin user or the user who created this item can edit it.
Now I'm doing something like this:
@auth.requires_login()
def edit():
is_admin = auth.has_membership(role='admin')
edited_calendar_item = db.calendar_item(request.args(0))
if edited_calendar_item:
if not is_admin and edited_calendar_item.employee !=
auth.user.id:
raise HTTP(401, 'not authorized')
is this a good practice or are there better ways to do this? Is it
possible to customize the 401 error page? (to display a nice page
instead of just the error message) or should I do something different
than raising the http error? the error can only occur if the user
manipulated the url.
Alex
