Massimo, I have a normalized database containing a.o. a company table which is referenced by 10 other tables (address, nfa, et cetera). The database will contain thousands of companies, of which only a percentage will manage their own data on two levels (core and site). User registration will be performed by the site administrator and no verification mail will be sent.
In the web2py documentation and examples a user registers before creating any records. In tools.py, when a user registers, a new group is created and the user is made the sole member of that group. Permissions are added every time a record is created In my case the site administrator is the owner of all records in the database, by registering a company he grants the company co-ownership of its existing records and the permission to crud its own records. After implementing the crud_address and update_address function I tested them for several users. I noticed that when I expose the update function the user is able to manipulate the URL. In the following URL 5 is the record_id of an address: http://127.0.0.1:8000/mock/crud/data/update/adres/5 When the user changes the record_id in the URL to 3 the address record with record_id 3 is displayed and the logged in user can update or delete the record even tough it isn't related to his company. I know this problem is related to the fact that I have not added permissions for every single record in the database. The problem is that record_ids of the existing records are unknown the moment the user registers. In the company table record_id identifies the company but in all the other table the field company identifies the company, because they are foreign keys. I hope there is another way to solve this problem, for instance by removing the args and vars from the URL, and adding a validator to form.accepts like: form.adres.bedrijf=auth.user.bedrijf. Which checks if the company id in the form equals the company id of the logged in user's company. Kind regards, Annet. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
