I realize T2 is deprecated, but here's (http://www.mail-archive.com/ [email protected]/msg05280.html) further reference to the behaviour I'm expecting.
" now give yourself back permission *only* to select record in table [app]_user group_id=auth.add_group(role='Manager') auth.add_membership(group_id,auth.user.id) auth.add_permission(group_id,'select','[app]_user') " On Feb 15, 5:04 pm, rocket <[email protected]> wrote: > I found this > thread<http://www.mail-archive.com/[email protected]/msg17851.html> > which > seems to indicate that something was being done about this, but it still > seems like only create, read, update and delete are actually being enforced > by crud.settings.auth=auth. This is contrary to the book which says > > The permisions names enforced by : > > 1. > > crud.settings.auth = auth > > are "read", "create", "update", "delete", "select", "impersonate". > > Any insight into this? What's the best practices approach to restricting > all access then granting only what's needed?
