You can do: if request.args(0) in ['edit', 'delete']: STORE_DETAILS.id == int(request.args(2)) or redirect(URL('default', 'wherever'))
db.pages.stores_id.default = STORE_DETAILS.id query = ((db.pages.stores_id == STORE_DETAILS.id)) form = SQLFORM.grid(query=query) return dict(form=form) On Wed, Sep 5, 2012 at 9:38 PM, Kevin C <ke...@techdaddies.com> wrote: > Basically, we are generating a SQLFORM.grid with the following code: > > db.pages.stores_id.default = STORE_DETAILS.id > query = ((db.pages.stores_id == STORE_DETAILS.id)) > form = SQLFORM.grid(query=query) > > return dict(form=form) > > This is working perfectly fine for us. However, we have noticed that if > we just change the ID in the query string for the edit page, we are allowed > to edit other store's entries. > > IE > http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa> > .. > > What is the proper way to do this, then? The grid itself looks great, but > just by changing the page ID in the URL, we are allowed to edit pages not > belonging to us. I guess I was hoping that the query conditional would be > passed to each function (add, edit, delete) but that obviously is not the > case. Is multi-tenancy the solution to this issue or are we overlooking > something simple? > > -- > > > > --