Making appadmin available to all users is very dangerous because
appadmin allows you to write ANY python in the search string. It is a
major vulnerability if you give other users access to it.
Instead of db.table.id>0 one can type for example [os.unlink[f] for f
in os.listdir('./')].
Massimo
On Jan 29, 12:11 am, mart <[email protected]> wrote:
> Hey this is nice! Makes it easy to create a group of admins! :)
>
> Also, you can always make appAdmin open & available for your app to
> all users (its trivial to do really), although i don't see any
> benefit. hum.... come to think of it, its probably a bug. I like
> Bruno's script better than handing the keys to everyone because you
> can add filters and apply them to groups.
>
> Mart :)
>
> On Jan 28, 8:16 am, Bruno Rocha <[email protected]> wrote:
>
>
>
>
>
>
>
> > I use something like this:
>
> > </app/controllers/manage.py>
> > @auth.requires_membership('admin')
> > def index():
> > args = request.args
> > title = 'Administration'
> > if not args:
> > link = UL(*[LI(A(tab,_href=URL(args=tab))) for tab in db.tables])
> > return dict(items=link,title=title)
>
> > if not args(1):
> > i = 0
> > else:
> > i =1
>
> > for tab in db.tables:
> > if tab==args(i):
> > tb = db[tab]
>
> > if args(0)=='edit':
> > form = crud.update(tb, args(2),next=URL(f='admin',args=args(1)))
> > items = None
> > titulo = 'Edit %s ' % args(i)
> > else:
> > form = crud.create(tb)
> > rows = db().select(tb.ALL)
> > items = SQLTABLE(rows,linkto='editar')
> > titulo = 'Insert %s ' % args(i)
>
> > return dict(form=form,items=items,title=title)
>
> > </app/controllers/manage.py>
>
> > Bruno Rochahttp://about.me/rochacbruno/bio
