[web2py] Re: newby authorization question - need example

Sun, 28 Apr 2013 11:28:19 -0700 

Thanks so much Anthony, it works great!

Is this valuable enough for me to post to Slices? (I would also display the 
tables so that students can recreate the whole process).

def search_shared_services():
         is_owner = (lambda row: row.created_by == auth.user_id) if auth.user 
else False 
         grid = SQLFORM.smartgrid(db.SharedService, linked_tables=[
'SharedServicePartnerIntersection'], maxtextlength={
'SharedServicePartnerIntersection.sharedServiceID':140,  
'SharedService.shortSharedServiceTitle':140,
'SharedService.shortSharedServiceDescription':140}, editable=is_owner,deletable
=is_owner, user_signature=True) 
         return dict(grid=grid)


Thanks,

Alex

On Sunday, April 28, 2013 11:02:25 AM UTC-7, Anthony wrote:
>
>
> def search_shared_services():
>>          if (request.args(-3) in ['edit', 'delete'] and db[request.args(-
>> 2)](request.args(-1)).created_by != auth.user_id):
>>              grid = SQLFORM.smartgrid(db.SharedService, linked_tables=[
>> 'SharedServicePartnerIntersection'], maxtextlength={
>> 'SharedServicePartnerIntersection.sharedServiceID':140,  
>> 'SharedService.shortSharedServiceTitle':140,
>> 'SharedService.shortSharedServiceDescription':140}, editable=False,deletable
>> =False) 
>>
>
> No, the above isn't the way to do it. When the edit link is clicked, the 
> grid returns an edit form rather than a grid, so you don't want the code 
> inside that "if" condition to call the grid function again. Instead, you 
> want it to do something to deny access, such as:
>
> if (request.args(-3) in ['edit', 'delete'] and
>     db[request.args(-2)](request.args(-1)).created_by != auth.user_id):
>     session.flash = 'Access denied'
>     redirect(URL('default', 'search_shared_services'))  # go back to grid
> else:
>     grid = ...
>
> Instead, though, probably what you really want is to only show the edit 
> and delete buttons within rows owned by the user. To do that, note that the 
> "editable" and "deletable" arguments can be functions that accept a row of 
> the table and return True or False to determine whether to include the 
> button -- so, you can do:
>
> is_owner = (lambda row: row.created_by == auth.user_id) if auth.user else 
> False
> grid = SQLFORM.smartgrid(..., editable=is_owner, 
> deletable=is_owner,user_signature
> =True)
>
> Anthony
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to