check if the t_categories row that the user is loading actually belongs to
him ....
record = db(db.t_categories.id ==
request.args(0))(db.t_categories.created_by ==
auth.user_id).select().first()
if not record:
redirect(URL('not_authorized'))
BTW: with SQLFORM.grid it's easier (really).
allowed_records = db.t_categories.created_by == auth.user_id
grid = SQLFORM.grid(allowed_records)
By default, all links to edit, create, etc are all created with the
signature
web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls , so
users can't "tamper" playing with request.args
On Tuesday, September 24, 2013 7:47:39 PM UTC+2, Avi A wrote:
>
> Hi ,
> i want to display a user a list of item tht belongs to him:
> my_items= db(db.t_categories.created_by==auth.user.id
> ).select(db.t_categories.ALL)
> Then allow him to update each item from the list:
> item_update=crud.update(db.t_categories,request.args(0))
> so far so good.
> My problem is on the /args(0) page, I still have to make sure that:
> db.t_categories.created_by==auth.user.id
> I don't know how to inform the controller the var:
> db.t_categories.created_by.
> The ajax function or a different way?
> Thanks.
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
