If your PHP code has no access control then, yes, people will just be able to copy/paste URLs to gain access and I'm not sure Web2py can help you out.
But you should be able to set up passwords on the web server. For example, Cherokee: http://www.cherokee-project.com/doc/modules_validators.html
