Each user has a unique group with only one member: him.
So in your controller, something like
def my_great_function():
# Not sure if Web2py session supports get, session.get(auth.user.id,
'nobody') would be more
# concise than the next 4 lines of code.
if 'auth' in session: # defensive code in case session has timed out
user_id = auth.user.id
else:
return # Session has timed out, most likely. Maybe you want to
redirect to login screen
# user_id = 'nobody' Alternative if you don't want to redirect
group_name = 'user_{}'.format(user_id)
if not auth.has_membership(group_name):
# whatever you decide to do with failed attempt
pass
# Your great code here
pass
On Friday, August 8, 2014 6:03:34 PM UTC-4, desta wrote:
>
> Let's assume a table:
> db.define_table('SecretData',
> Field('data','string'),
> Field('file_owner', 'reference auth_user', default=auth.
> user_id)
> The table is already populated.
>
> On the *View* side, the user is able to send an ajax request which
> contains the *id*, and some data in order to *update* a record he owns.
>
> In this scenario, isn't possible for a user to tamper the *id* variable
> (i.e. through javascript) and mess up with data from other users?
> How can I protect against this and enforce the update of the right record?
>
> Thank you.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
