What security issues arise if I create my own table to use in place of db.auth_group?
I have multi-tenant users that: (1) require identical db.auth_group.role names (not allowed in db.auth_group), (2) but also require sharing of common roles (not allowed with "_common_filter"). To get around this I could: (1) replicate the shared roles into every users' _common_filter. (But duplication does not usually seem like a good idea.) (2) Not use _common_filter but instead make each users' role name unique by adding their primary key number in front of every role name. (Extra programming work). (3) The easiest way would be to create my own version db.auth_group called db.Role and design the table so that it accepts non-unique role names, but the role-name along with the user-Id constitute the uniqueness of each record I'm concerned about the security impact of choice #3, and would like security to be the top priority. Are there problems in using it? Decorators would require user to have membership in db.Role. thanks, Alex Glaros -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
