Is there a way to limit CRUD and/or SQLFORM.grid objects to only operating
on a subset of records, so they can be used as managers for records based
on ownership? As far as I can tell, CRUD works on either a whole table
level or single record label, nothing in between. SQLFORM.grid does this
quite well, with its second argument being a database query to select its
records. This is nice, but the problem is that I can still use the form to
view or edit other records that don't belong to me (/index/view/4 - I can
change the '4' to any number I want, and the grid brings in the data
without complaint). It seems the query is only used when displaying the
records as a list, after that there's no validation to make sure that the
record being requested for editing actually matches the query passed into
the form constructor.
