I believe this is the correct behavior. You are declaring that the Grid urls must contain args=[id] so if it is does not you have no access. your grid is readonly mode so it is always visible (when it properly parse the arguments).
I am missing something? On Monday, 10 December 2012 21:48:09 UTC-6, tomt wrote: > > I simplified the controller to better understand the problem I'm seeing. > > def test(): > id = 2 > query = (db.staffnotes.staffid == id) > fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment] > orderby = [~db.staffnotes.date,~db.staffnotes.modified_on] > grid = SQLFORM.grid(query=query, > > details=False,csv=False,editable=False,deletable=False,create=False,searchable=True, > paginate=10,fields=fields,orderby=orderby, > args=[id], > ) > return dict(grid=grid) > > - When I call this routine with: > http://localhost:8000/myapp/default/test > - I receive the 'not authorized' flash and the grid doesn't display > > - If I call it with: > http://localhost:8000/myapp/default/test/2 > - the grid displays with no error. > (this appears to be because request.args(0) matchs args=[id] where id=2) > > - If I call it with: > http://localhost:8000/myapp/default/test/garbage/view > - I receive the 'not authorized' flash and the grid doesn't display > - If I signoff and repeat the url > http://localhost:8000/myapp/default/test/garbage/view > - the grid displays with no error. > - I don't intend to pass phony urls to get past the error. I just listed > them to try to understand what I'm doing wrong. > > - If I get rid of the args=[id] parameter on SQLFORM.grid call > the grid displays no matter what the url is, and whether or not I'm > logged in, > but I need the args=[id] because I use it with links. > > Does this clarify anything? > > On Monday, December 10, 2012 12:44:30 PM UTC-6, tomt wrote: >> >> Yes, I am logged in. >> >> On the initial call of the controller the grid is displayed without and >> error. When I select a new value from the dropdown form, a new query is >> used and passed to SQLFORM.grid, and this is when the 'not authorized' >> flash is generated. >> >> >> On Monday, December 10, 2012 9:21:29 AM UTC-6, Massimo Di Pierro wrote: >> >>> Are you logged in when you try accessing the grid? Do you get a not >>> authorized when trying to visualize the grid or when searching or when >>> visualizing a record? >>> >>> Massimo >>> >>> On Sunday, 9 December 2012 19:23:20 UTC-6, tomt wrote: >>>> >>>> Hi, >>>> >>>> Recent changes in trunk are causing my use of SQLFORM.grid to issue a >>>> 'not authorized' flash. >>>> It appears to be because of the following change in sqlhtml.py: >>>> >>>> - stable: >>>> # if not user_signature every action is accessible >>>> # else forbid access unless >>>> # - url is based url >>>> # - url has valid signature (vars are not signed, only >>>> path_info) >>>> # = url does not contain 'create','delete','edit' (readonly) >>>> if user_signature: >>>> if not( >>>> '/'.join(str(a) for a in args) == >>>> '/'.join(request.args) or >>>> URL.verify(request, user_signature=user_signature, >>>> hash_vars=False) or not ( >>>> 'create' in request.args or >>>> 'delete' in request.args or >>>> 'edit' in request.args)): >>>> session.flash = T('not authorized') >>>> redirect(referrer) >>>> - trunk >>>> # if not user_signature every action is accessible >>>> # else forbid access unless >>>> # - url is based url >>>> # - url has valid signature (vars are not signed, only >>>> path_info) >>>> # = url does not contain 'create','delete','edit' (readonly) >>>> if user_signature: >>>> if not ( >>>> '/'.join(str(a) for a in args) == >>>> '/'.join(request.args) or >>>> URL.verify(request,user_signature=user_signature, >>>> hash_vars=False) or >>>> (request.args(len(args))=='view' and not logged)): >>>> session.flash = T('not authorized') >>>> redirect(referrer) >>>> >>>> I normally call my routine with no parameter after having signed on >>>> and then I select a specific user from the dropdown list. >>>> With the latest trunk the selection is ignored and the flash 'not >>>> authorized' >>>> is generated. My controller doesn't call create, delete, or edit. It >>>> uses javascript to >>>> to select and pass on the staffid to the grid. >>>> >>>> Restoring this piece of code in sqlhtml.py to the previous version >>>> eliminates my problem. >>>> I'm not sure what change was meant to do differently. Perhaps it was a >>>> mistake, or it could be that I was using SQLFORM.grid incorrectly. >>>> >>>> ... my controller .................................................... >>>> def note_list(): >>>> script = SCRIPT(""" >>>> $('document').ready(function(){ >>>> $('#mycombo').change(function(){ >>>> $('#myform').submit(); >>>> }); >>>> }); >>>> """) >>>> >>>> form = SQLFORM(db.staffnotes,fields=['staffid']) >>>> del form[0][1] # delete the submit_record__row from the form >>>> staffid = request.args(0) >>>> # Modify form elements for use by script >>>> form.attributes['_id'] = 'myform' >>>> form.element('select').attributes['_id'] = 'mycombo' >>>> >>>> # Build table of all notes if staffid isn't set >>>> if staffid: >>>> query = ((db.staffnotes.staffid == db.staff.id) & >>>> (db.staffnotes.staffid == staffid)) >>>> else: >>>> query = ((db.staffnotes.staffid == db.staff.id)) >>>> >>>> if form.accepts(request.vars,session,dbio=False): >>>> staffid = form.vars.staffid >>>> query = ((db.staffnotes.staffid == db.staff.id) & >>>> (db.staffnotes.staffid == staffid)) >>>> >>>> >>>> fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment] >>>> orderby = [~db.staffnotes.date,~db.staffnotes.modified_on] >>>> maxtextlengths = { >>>> 'staffnotes.staffid': 20, >>>> 'staffnotes.comment': 200, >>>> } >>>> >>>> links=[dict(header='Link',body=mybody )] >>>> >>>> if staffid: >>>> print "grid D: form.vars.staffid %s, staffid %s " % >>>> (form.vars.staffid,staffid) >>>> grid = SQLFORM.grid(query=query, >>>> >>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True, >>>> >>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths, >>>> args=[staffid],links=links, >>>> ) >>>> else: >>>> print "grid E: form.vars.staffid %s, staffid %s " % >>>> (form.vars.staffid,staffid) >>>> grid = SQLFORM.grid(query=query, >>>> >>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True, >>>> >>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths, >>>> links=links, >>>> ) >>>> >>>> >>>> response.title='Notes' >>>> print "" >>>> return dict(form=form, script=script, grid=grid) >>>> ...................................................................... >>>> >>>> - any suggestions? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> --
