Technically Anthony is right. appadmin is not app, it is a controller in each one of your apps. Historically appadmin was designed this way to overcome a problem I had experienced with Django (only one appadmin - which they call admin - per Django instance. This has changed since in Django too).
appadmin uses admin authentication but that is just the default behavior. Nothing prevents you from renaming appadmin or editing such that it uses the app's own authentication mechanism. The name appadmin was chosen because even it today it mostly deal with db administration, this may change in the future. The reason appadmin requires admin access appadmin accepts more than queries and does not validate input. A user with access to appadmin can do as much damage as a user with access to admin, i.e. that use has complete read/write access as the user running web2py has. Instead of giving users access to appadmin create your own controller action @auth.requires_login() def data(): return crud() and this will give all users access to /app/default/data/tables /app/default/data/search/<tablename> /app/default/data/select/<tablename> /app/default/data/create/<tablename> /app/default/data/update/<tablename>/id /app/default/data/delete/<tablename>/id On Feb 27, 8:40 pm, mart <[email protected]> wrote: > well, I have to check... Naturally (and there is always a chance - I'm > actually left feeling surprised when I am not wrong), I could be > completely missing the mark here. I do know, that a copy (with a new > name) of appadmin is quite open to all users (because I did that > once), but just thought i'd mention... > > As for the appadmin not being an app... alright, sure. But, I can log > onto a web2py server (without logging into any application) and > view,update,delete data from any apps DB. Because I can do that, I > tend to want to see it as feature of having admin privileges... admin > vs appadmin or app vs .py file with a view. I still see them belonging > together (even if I am wrong about it). > > Mart > > On Feb 27, 8:46 pm, Anthony <[email protected]> wrote: > > > > > > > > > appadmin isn't a separate app (like admin) -- it's a controller file > > (appadmin.py) and view file (appadmin.html) included in the welcome and > > admin apps. I'm not sure, but it looks like you might be able to rename it, > > though I think the links from admin to appadmin would no longer work, and > > appadmin.py makes one reference to appadmin.html, which would have to be > > changed. I'm not sure if there are any security issues. > > > Anthony > > > On Sunday, February 27, 2011 7:52:31 PM UTC-5, mart wrote: > > > and its an app... ;) and i think renaming it on the fly will cause you > > > to lose the security around it (will be exposed to all users, I > > > think) > > > > On Feb 27, 2:22 pm, pbreit <[email protected]> wrote: > > > > Well, it also includes /state and /cache so I'd say leave it for now.
