I did do that at first, and it works great for displaying the right
records, but the problem is that it doesn't do any kind of validation to
make sure that the record you're trying to edit or view actually matches
the query provided in the grid constructor. As in, I can replace the
record ID in the URL with any other record ID, and if it exists the grid
loads as if I were the record owner, when it should throw up an error of
some kind. Here's my workaround:
#controller
record_query = db.routes.owner==auth.user_id
is_authorized = (db(record_query &
(db.routes.id==request.args(2))).count() == 1)
if (is_authorized == False and str(request.args(2)).isdigit()):
redirect(URL('index'))
grid = SQLFORM.grid(record_query,...)
return dict(grid=grid)
On Saturday, March 3, 2012 12:02:56 PM UTC-7, Oli wrote:
>
> try this:
>
> # model
> db.define_table('adress',
> Field('name'),
> Field('email'),
> Field('created_by', db.auth_user, default=auth.user_id))
>
> # controller
> def index():
> """
> example action using the internationalization operator T and flash
> rendered by views/default/index.html or views/generic.html
> """
> # user_id = db.adress.select()
> query=((db.adress.created_by==auth.user_id))
> grid = SQLFORM.grid(query=query)
> return locals()
>
> OF.
>
>
> Am Samstag, 3. März 2012 18:18:09 UTC+1 schrieb Serpent_Guard:
>>
>> Yeah, I saw that, I guess I'm just a bit confused on how to implement it;
>> what I want is for each user to have CRUD permissions on a given table, but
>> only for records they've created themselves. Not sure how to do that with
>> groups. I have it working now with a custom DAL query, so it's not
>> super-critical at this point that I get it working with groups at this
>> point, but it'd be good to know.
>>
>>
>> On Friday, March 2, 2012 2:52:24 AM UTC-7, Oli wrote:
>>>
>>> look at this:
>>> http://web2py.com/books/default/chapter/29/7?search=Permission
>>>
>>> Am Freitag, 2. März 2012 10:40:58 UTC+1 schrieb Serpent_Guard:
>>>
>>>> Is there a way to limit CRUD and/or SQLFORM.grid objects to only
>>>> operating on a subset of records, so they can be used as managers for
>>>> records based on ownership? As far as I can tell, CRUD works on either a
>>>> whole table level or single record label, nothing in between.
>>>> SQLFORM.grid
>>>> does this quite well, with its second argument being a database query to
>>>> select its records. This is nice, but the problem is that I can still use
>>>> the form to view or edit other records that don't belong to me
>>>> (/index/view/4 - I can change the '4' to any number I want, and the grid
>>>> brings in the data without complaint). It seems the query is only used
>>>> when displaying the records as a list, after that there's no validation to
>>>> make sure that the record being requested for editing actually matches the
>>>> query passed into the form constructor.
>>>
>>>
