[web2py] Re: Doing validation using sqlform grid onupdate or ondelete callbacks

[Jean-Baptiste Fuzier]

Thanks, awesome answer !

I think I'm gonna go with the table callback method, I kind of feel safer 
when doing security checks closer to the DB (maybe I'm wrong...)


   - For the second solution (Authorization), as I am using a sqlform.grid, 
   I need to provide a query and not rows. So I tried to remove the select 
   part and I get back a set. However the grid does not seems to accept set 
   eithers.

(Test in the shell)

In [6] : print db(auth.accessible_query('owner', db.feed,2))

<Set (feed.id IN (SELECT  auth_permission.record_id FROM auth_permission, 
auth_membership WHERE ((((auth_membership.user_id = 2) AND (auth_membership.
group_id = auth_permission.group_id)) AND (auth_permission.name = 'owner')) 
AND (auth_permission.table_name = 'feed'))))>



(actual grid code)

    query=db(auth.accessible_query('owner', db.feed))

    grid = SQLFORM.grid(query)

    return locals()


> Exception :

  File "/home/mdipierro/make_web2py/web2py/gluon/sqlhtml.py", line 1882, ingrid

TypeError: reduce() of empty sequence with no initial value



   - Just to be sure I understant correctly, If you do some filtering on 
   the grid to display only what the user is allowed to edit with a query, 
   web2py will ensure that the user can not forge a query that would edit 
   another entry that is not part of the filtered query right ? 

Thanks again for your help!

Le vendredi 22 mars 2013 00:53:40 UTC+1, luismurciano a écrit :
>
> Hi
>
> There are some easy ways to do it. 
> If the owner reference is in the row you can use before and after 
> callbacks<http://www.web2py.com/books/default/chapter/29/06#before-and-after-callbacks>
>  something 
> like:
>
> db.mytable._before_update.append(lambda s,r: True if r.owner == 
> auth.user_id else False)
>
> The True value cancels the insert
>
> Also you can use 
> Authorization<http://www.web2py.com/books/default/chapter/29/09#Authorization>
>
> rows = db(auth.accessible_query('update', db.mytable, user_id)) 
> .select(db.mytable.ALL)
>
> I like the Authorization choice because its a nice abstraction and you 
> dont need to mess with forms or tables.
>
> I hope it helps.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.