actually, it might be okay
the join in decorator ensures that user ID is in same physical records that
are referenced in the URL vars
will definitely get a full evaluation before goes to production
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
-
oops, regarding security, you're right Anthony. Users could walk the URL
address. Is this better? Seems to work...
@auth.requires(lambda: not db((db.auth_membership.user_id == auth.user_id)
& (db.auth_membership.group_id == db.auth_group.id) & (db.auth_group.role
==
On Wednesday, November 4, 2015 at 5:47:07 PM UTC-5, Alex Glaros wrote:
>
> oops, regarding security, you're right Anthony. Users could walk the URL
> address. Is this better? Seems to work...
>
> @auth.requires(lambda: not db((db.auth_membership.user_id == auth.user_id)
> &
That's completely unacceptable, bad security. You are right Anthony. What
would be a better method?
Right now the value of role field in db.auth_group is the same as the
primary key of the object I want to set auth for. I was hoping to use that
idea to be able to restrict users to that
Are you saying that:
@auth.requires_membership(request.get_vars.specificObjectID)
allows access, but with the exact same query string (i.e., specificObjectID
set to the same value in the URL query string):
@auth.requires(auth.has_membership('Engagement_Squared_Super_Admin') or
5 matches
Mail list logo