No the check action never creates any record. it just allows you to
edit if you have access...
# optional check if auth.user is allowed to edit record
On Oct 7, 1:30 pm, guruyaya <[email protected]> wrote:
> I'm not sure, but isn't this method open to Cross site scripting? I
> can create an image tag with thehttp://.../checkwith ease!
>
> On Oct 6, 8:26 pm, mdipierro <[email protected]> wrote:
>
> > Say you have a table
>
> > db.define_table('item',Field('name'),Field('check','boolean',default=False))
>
> > you can have two controllers like
>
> > def items():
> > rows=db(db.item.owner==auth.user_id).select()
> > return dict(rows=rows)
>
> > def check(): # this is a callback!
> > record=db.item(request.args(0))
> > # optional check if auth.user is allowed to edit record
> > if record and record.checked==False:
> > record.update_record(check=True)
> > return 'on'
> > elif record and record.checked==True:
> > record.update_record(check=False)
> > return 'off'
> > return ''
>
> > and in the view default/items.html
>
> > <table>
> > {{for row in rows:}}
> > <tr>
> > <td>{{=row.name}}</td>
> > <td><a href="#" id="q{{=row.id}}"
> > onclick="ajax('{{=URL('check',args=row.id)}}',
> > [],'q{{=row.id}}');return false;">{{=row.checked and 'on' or 'off'}}</
> > a>
> > </td>
> > </tr>
> > {{pass}}
> > </table>
>
> > when you click on 'on' or 'off' it callshttp://..../check/<id> and
> > the response will replace the 'on' or 'off'
>
>
