look at this: http://web2py.com/books/default/chapter/29/7?search=Permission
Am Freitag, 2. März 2012 10:40:58 UTC+1 schrieb Serpent_Guard: > Is there a way to limit CRUD and/or SQLFORM.grid objects to only operating > on a subset of records, so they can be used as managers for records based > on ownership? As far as I can tell, CRUD works on either a whole table > level or single record label, nothing in between. SQLFORM.grid does this > quite well, with its second argument being a database query to select its > records. This is nice, but the problem is that I can still use the form to > view or edit other records that don't belong to me (/index/view/4 - I can > change the '4' to any number I want, and the grid brings in the data > without complaint). It seems the query is only used when displaying the > records as a list, after that there's no validation to make sure that the > record being requested for editing actually matches the query passed into > the form constructor.
