Thank you. But still the user is able to tamper data on client side right?
On Sunday, August 10, 2014 11:00:47 PM UTC+3, Cliff Kachinske wrote:
>
> Each user has a unique group with only one member: him.
>
> So in your controller, something like
>
>
> def my_great_function():
>
> # Not sure if Web2py session supports get, session.get(auth.user.id,
> 'nobody') would be more
> # concise than the next 4 lines of code.
> if 'auth' in session: # defensive code in case session has timed out
> user_id = auth.user.id
> else:
> return # Session has timed out, most likely. Maybe you want to
> redirect to login screen
> # user_id = 'nobody' Alternative if you don't want to redirect
> group_name = 'user_{}'.format(user_id)
> if not auth.has_membership(group_name):
> # whatever you decide to do with failed attempt
> pass
> # Your great code here
> pass
>
>
>
>
> On Friday, August 8, 2014 6:03:34 PM UTC-4, desta wrote:
>>
>> Let's assume a table:
>> db.define_table('SecretData',
>> Field('data','string'),
>> Field('file_owner', 'reference auth_user', default=auth.
>> user_id)
>> The table is already populated.
>>
>> On the *View* side, the user is able to send an ajax request which
>> contains the *id*, and some data in order to *update* a record he owns.
>>
>> In this scenario, isn't possible for a user to tamper the *id* variable
>> (i.e. through javascript) and mess up with data from other users?
>> How can I protect against this and enforce the update of the right record?
>>
>> Thank you.
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
