The caveat here is that appadmin is unsafe that is why it is restricted to
administrators. This because the query in appadmin are Python code
therefore they can be exploited to gain login access to the system. This is
not a problem for admin because he/she already has login access.
Instead of hacking appadmin access I suggest just create an action like:
@auth.require_membership(role='admin')
def manage():
tablename = request.args(0)
if tablename: grid = SQLFORM.smartgrid(db[tablename])
else: grid = UL(*[LI(A(t,_href=URL(args=t)) for t in db.tables])
return locals()
and it will work even better.
On Thursday, 30 May 2013 08:24:20 UTC-5, Anthony wrote:
>
> On Thursday, May 30, 2013 3:44:51 AM UTC-4, Tim Richardson wrote:
>
>> The web2py admin actually has access to the applications (plural) in my
>> understanding. I thought that giving specific people access to managing
>> users and groups per-application would not be unusual.
>>
>
> That's not unusual, but in web2py, you don't typically do it by exposing
> appadmin, which provides complete access to the entire database. If you
> just want to let an admin manage users and groups, you should write a
> simple function that exposes only the users, groups, and membership tables
> -- SQLFORM.smartgrid might be a good option. Perhaps we should add such a
> function to the "welcome" app to make it easier to manage Auth memberships
> and permissions.
>
> Anthony
>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
