Thanks for the response. To restate your answer, if arg[id] is declared, then the calling url must reflect this.
Given this, It turns out that I can avoid the problem I was having by simply changing the form.accepts section to redirect after processing. The previous version of sqlhtml.py was letting me get away with some questionable code. On Wednesday, December 12, 2012 9:00:33 PM UTC-6, Massimo Di Pierro wrote: > > I believe this is the correct behavior. > > You are declaring that the Grid urls must contain args=[id] so if it is > does not you have no access. your grid is readonly mode so it is always > visible (when it properly parse the arguments). > > I am missing something? > > > > > > On Monday, 10 December 2012 21:48:09 UTC-6, tomt wrote: >> >> I simplified the controller to better understand the problem I'm seeing. >> >> def test(): >> id = 2 >> query = (db.staffnotes.staffid == id) >> >> fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment] >> orderby = [~db.staffnotes.date,~db.staffnotes.modified_on] >> grid = SQLFORM.grid(query=query, >> >> details=False,csv=False,editable=False,deletable=False,create=False,searchable=True, >> paginate=10,fields=fields,orderby=orderby, >> args=[id], >> ) >> return dict(grid=grid) >> >> - When I call this routine with: >> http://localhost:8000/myapp/default/test >> - I receive the 'not authorized' flash and the grid doesn't display >> >> - If I call it with: >> http://localhost:8000/myapp/default/test/2 >> - the grid displays with no error. >> (this appears to be because request.args(0) matchs args=[id] where id=2) >> >> - If I call it with: >> http://localhost:8000/myapp/default/test/garbage/view >> - I receive the 'not authorized' flash and the grid doesn't display >> - If I signoff and repeat the url >> http://localhost:8000/myapp/default/test/garbage/view >> - the grid displays with no error. >> - I don't intend to pass phony urls to get past the error. I just listed >> them to try to understand what I'm doing wrong. >> >> - If I get rid of the args=[id] parameter on SQLFORM.grid call >> the grid displays no matter what the url is, and whether or not I'm >> logged in, >> but I need the args=[id] because I use it with links. >> >> Does this clarify anything? >> >> On Monday, December 10, 2012 12:44:30 PM UTC-6, tomt wrote: >>> >>> Yes, I am logged in. >>> >>> On the initial call of the controller the grid is displayed without and >>> error. When I select a new value from the dropdown form, a new query is >>> used and passed to SQLFORM.grid, and this is when the 'not authorized' >>> flash is generated. >>> >>> >>> On Monday, December 10, 2012 9:21:29 AM UTC-6, Massimo Di Pierro wrote: >>> >>>> Are you logged in when you try accessing the grid? Do you get a not >>>> authorized when trying to visualize the grid or when searching or when >>>> visualizing a record? >>>> >>>> Massimo >>>> >>>> On Sunday, 9 December 2012 19:23:20 UTC-6, tomt wrote: >>>>> >>>>> Hi, >>>>> >>>>> Recent changes in trunk are causing my use of SQLFORM.grid to issue a >>>>> 'not authorized' flash. >>>>> It appears to be because of the following change in sqlhtml.py: >>>>> >>>>> - stable: >>>>> # if not user_signature every action is accessible >>>>> # else forbid access unless >>>>> # - url is based url >>>>> # - url has valid signature (vars are not signed, only >>>>> path_info) >>>>> # = url does not contain 'create','delete','edit' (readonly) >>>>> if user_signature: >>>>> if not( >>>>> '/'.join(str(a) for a in args) == >>>>> '/'.join(request.args) or >>>>> URL.verify(request, user_signature=user_signature, >>>>> hash_vars=False) or not ( >>>>> 'create' in request.args or >>>>> 'delete' in request.args or >>>>> 'edit' in request.args)): >>>>> session.flash = T('not authorized') >>>>> redirect(referrer) >>>>> - trunk >>>>> # if not user_signature every action is accessible >>>>> # else forbid access unless >>>>> # - url is based url >>>>> # - url has valid signature (vars are not signed, only >>>>> path_info) >>>>> # = url does not contain 'create','delete','edit' (readonly) >>>>> if user_signature: >>>>> if not ( >>>>> '/'.join(str(a) for a in args) == >>>>> '/'.join(request.args) or >>>>> URL.verify(request,user_signature=user_signature, >>>>> hash_vars=False) or >>>>> (request.args(len(args))=='view' and not logged)): >>>>> session.flash = T('not authorized') >>>>> redirect(referrer) >>>>> >>>>> I normally call my routine with no parameter after having signed on >>>>> and then I select a specific user from the dropdown list. >>>>> With the latest trunk the selection is ignored and the flash 'not >>>>> authorized' >>>>> is generated. My controller doesn't call create, delete, or edit. It >>>>> uses javascript to >>>>> to select and pass on the staffid to the grid. >>>>> >>>>> Restoring this piece of code in sqlhtml.py to the previous version >>>>> eliminates my problem. >>>>> I'm not sure what change was meant to do differently. Perhaps it was a >>>>> mistake, or it could be that I was using SQLFORM.grid incorrectly. >>>>> >>>>> ... my controller .................................................... >>>>> def note_list(): >>>>> script = SCRIPT(""" >>>>> $('document').ready(function(){ >>>>> $('#mycombo').change(function(){ >>>>> $('#myform').submit(); >>>>> }); >>>>> }); >>>>> """) >>>>> >>>>> form = SQLFORM(db.staffnotes,fields=['staffid']) >>>>> del form[0][1] # delete the submit_record__row from the form >>>>> staffid = request.args(0) >>>>> # Modify form elements for use by script >>>>> form.attributes['_id'] = 'myform' >>>>> form.element('select').attributes['_id'] = 'mycombo' >>>>> >>>>> # Build table of all notes if staffid isn't set >>>>> if staffid: >>>>> query = ((db.staffnotes.staffid == db.staff.id) & >>>>> (db.staffnotes.staffid == staffid)) >>>>> else: >>>>> query = ((db.staffnotes.staffid == db.staff.id)) >>>>> >>>>> if form.accepts(request.vars,session,dbio=False): >>>>> staffid = form.vars.staffid >>>>> query = ((db.staffnotes.staffid == db.staff.id) & >>>>> (db.staffnotes.staffid == staffid)) >>>>> >>>>> >>>>> fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment] >>>>> orderby = [~db.staffnotes.date,~db.staffnotes.modified_on] >>>>> maxtextlengths = { >>>>> 'staffnotes.staffid': 20, >>>>> 'staffnotes.comment': 200, >>>>> } >>>>> >>>>> links=[dict(header='Link',body=mybody )] >>>>> >>>>> if staffid: >>>>> print "grid D: form.vars.staffid %s, staffid %s " % >>>>> (form.vars.staffid,staffid) >>>>> grid = SQLFORM.grid(query=query, >>>>> >>>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True, >>>>> >>>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths, >>>>> args=[staffid],links=links, >>>>> ) >>>>> else: >>>>> print "grid E: form.vars.staffid %s, staffid %s " % >>>>> (form.vars.staffid,staffid) >>>>> grid = SQLFORM.grid(query=query, >>>>> >>>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True, >>>>> >>>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths, >>>>> links=links, >>>>> ) >>>>> >>>>> >>>>> response.title='Notes' >>>>> print "" >>>>> return dict(form=form, script=script, grid=grid) >>>>> ...................................................................... >>>>> >>>>> - any suggestions? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> --
