Hi, I've a function to edit a calendar item and I want to make sure that only an admin user or the user who created this item can edit it.
Now I'm doing something like this: @auth.requires_login() def edit(): is_admin = auth.has_membership(role='admin') edited_calendar_item = db.calendar_item(request.args(0)) if edited_calendar_item: if not is_admin and edited_calendar_item.employee != auth.user.id: raise HTTP(401, 'not authorized') is this a good practice or are there better ways to do this? Is it possible to customize the 401 error page? (to display a nice page instead of just the error message) or should I do something different than raising the http error? the error can only occur if the user manipulated the url. Alex