Hello, Maybe it could be easy to remove this issue and let the appadmin be used by admin user or any user authorized. The search feature of .grid() and .smartgrid() could be used to search in appadmin??
Richard On Thu, May 30, 2013 at 12:50 PM, Massimo Di Pierro < [email protected]> wrote: > The caveat here is that appadmin is unsafe that is why it is restricted to > administrators. This because the query in appadmin are Python code > therefore they can be exploited to gain login access to the system. This is > not a problem for admin because he/she already has login access. > > Instead of hacking appadmin access I suggest just create an action like: > > @auth.require_membership(role='admin') > def manage(): > tablename = request.args(0) > if tablename: grid = SQLFORM.smartgrid(db[tablename]) > else: grid = UL(*[LI(A(t,_href=URL(args=t)) for t in db.tables]) > return locals() > > and it will work even better. > > > > > > On Thursday, 30 May 2013 08:24:20 UTC-5, Anthony wrote: >> >> On Thursday, May 30, 2013 3:44:51 AM UTC-4, Tim Richardson wrote: >> >>> The web2py admin actually has access to the applications (plural) in my >>> understanding. I thought that giving specific people access to managing >>> users and groups per-application would not be unusual. >>> >> >> That's not unusual, but in web2py, you don't typically do it by exposing >> appadmin, which provides complete access to the entire database. If you >> just want to let an admin manage users and groups, you should write a >> simple function that exposes only the users, groups, and membership tables >> -- SQLFORM.smartgrid might be a good option. Perhaps we should add such a >> function to the "welcome" app to make it easier to manage Auth memberships >> and permissions. >> >> Anthony >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
