On Saturday, December 3, 2011 8:58:54 AM UTC-5, lyn2py wrote:
>
> Thanks for pointing that out Martin. That's not very good for auth!
>
> Massimo, have you considered an attribute to assign a group when a
> user registers using a auth.register form, e.g.
> >> form=auth.register(membership=...)
> >> dict(form=form)
> Will create a form that will not be modified by the user during sign
> up?
>
It depends on where the value of 'membership' comes from and where it is
stored. If it still comes from the URL and is stored in the form, it could
still be hacked. You're probably better off simply adding a check to
Massimo's code:
def register_in_group():
group_id = request.args(0)
if group_id in allowed_groups # allowed_groups is a list of allowed
group ids
auth.settings.register_onaccept=lambda form:
auth.add_membership(group_id, form.vars.id)
form = auth.register()
return dict(form=form)
> I don't understand why a new group is created to contain the new user
> - wouldn't this be duplicating the purpose of "user", with every user
> belongs to a group?
>
Permissions are assigned to groups, not users, so if you want to be able to
assign permissions to individual users, they have to be in their own group.
If you don't need that functionality, you can remove the individual groups.
Anthony
