I have the following code as a json service for changing user privileges.
This app doesn't need the fine-grained control of Web2py RBAC so I've
added an integer userlevel field to auth_user. It mostly works as intended
except when a logged in user alters her own userlevel. The change isn't
detected unless she logs out and then back in. I understand this is
because the auth.user record is cached in the session. What's the right
way to update a logged in user whose auth_user record may have changed?
@service.json
def set_user_group():
"""
Changes a user's group (userlevel)
Args:
first_name,last_name, newgroup in request.args
Returns: error message if auth fails
Raises: Nothing
"""
err = None
if auth.is_logged_in() and auth.user.userlevel >= 2:
# Ok to change it
first, last, newgroup = tuple(request.args)[-3:]
tbl = db.auth_user
qry = ((tbl.first_name == first) & (tbl.last_name == last))
rows = db(qry).select()
assert len(rows) <= 1 ## should be impossible to have duplicate
names
if len(rows) == 0:
err = "User '{} {}' not found in database!".format(first, last)
else:
id = rows[0][tbl.id]
newlevel = dict(user=0, tech=1, admin=2)[newgroup.lower()]
db(tbl.id == id).update(userlevel=newlevel)
else:
err = "Changing user groups requires log-in with admin privileges"
return dict(msg=err)
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
