Thanks for pointing that out Martin. That's not very good for auth! Massimo, have you considered an attribute to assign a group when a user registers using a auth.register form, e.g. >> form=auth.register(membership=...) >> dict(form=form) Will create a form that will not be modified by the user during sign up? And possibly an attribute for the register link in auth.navbar to assign to a default group as well?
If I am not understanding the use of groups and memberships correctly, please feel free to correct me and point me in the right direction. There was probably a reason for web2py to work in this way? >From http://web2py.com/book/default/chapter/08#Authorization: """ Once a new user is registered, a new group is created to contain the user. The role of the new user is conventionally "user_[id]" where [id] is the id of the newly created id. The creation of the group can be disabled with 1.auth.settings.create_user_groups = False although we do not suggest doing so. """ I don't understand why a new group is created to contain the new user - wouldn't this be duplicating the purpose of "user", with every user belongs to a group? Thanks! On Dec 3, 6:24 pm, Martín Mulone <[email protected]> wrote: > yes but be aware with this code anyone can register as an admin. > > 2011/12/2 Massimo Di Pierro <[email protected]> >
