Add a created_by field to the tables that defaults to auth.user_id. In the
grid controller, do something like this:
if (request.args(-3) in ['edit', 'delete'] and
db[request.args(-2)](request.args(-1)).created_by != auth.user_id):
[code to prevent access]
Anthony
On Saturday, April 27, 2013 1:33:54 AM UTC-4, Alex Glaros wrote:
>
> Anthony,
>
> I think you're correct in that the value is always True. That's what
> happens in my function.
>
> What would be the correct way to allow user editing capability for their
> records only?
>
> thanks,
>
> Alex
>
> db.define_table('SharedService',
> Field('shortSharedServiceTitle', 'string', label='Title'),
> Field('shortSharedServiceDescription', 'string',label='Description'))
> ##
> ------------------------------------------------------------------------------------------
> db.define_table('SharedServicePartnerIntersection',
> Field('sharedServiceID', 'reference SharedService',
> writable=False,readable=False),
> Field('organizationID','reference Organization'))
>
>
> On Friday, April 26, 2013 3:11:49 PM UTC-7, Anthony wrote:
>>
>> def search_shared_services():
>>
>> * if db.SharedService.created_by==auth.user:*
>>>
>>
>> The above generates a Query object (which will always evaluate to True),
>> it does not test whether the requested record was created by the current
>> auth.user (anyway, it should be auth.user.id or auth.user_id --
>> auth.user is the complete user record). Instead, you want to check if the
>> request is to edit a record, and if so, whether that record was created by
>> the current auth.user_id.
>>
>> Anthony
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
