would do:
form=SQLFORM(db.mytable,thisrecord,deletable=have_delete_access)
Auth + Curd also understand the following convention:
auth=Auth(gloabls(),db)
auth.define_tables()
crud=Crud(globals(),db)
crud.settings.auth=auth
if auth.is_logged_in():
auth.add_permission(auth.id_group
(auth.user.id),'delete','mytable',record_id)
Now:
crud.delete(db.mytable,record_id)
Works if and only if user has delete permission on the record.
Massimo
On Mar 22, 2:37 am, vince <[email protected]> wrote:
> if i have this
>
> if have_delete_access:
> form=SQLFORM(db.mytable,thisrecord,deletable=True)
> else:
> form=SQLFORM(db.mytable,thisrecord,deletable=False)
> .... form accept and etc
>
> is that secure? what if user make up their own form post?
>
> -vince
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
