Basically, we are generating a SQLFORM.grid with the following code:
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
return dict(form=form)
This is working perfectly fine for us. However, we have noticed that if we
just change the ID in the query string for the edit page, we are allowed to
edit other store's entries.
IE
http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa>
..
What is the proper way to do this, then? The grid itself looks great, but
just by changing the page ID in the URL, we are allowed to edit pages not
belonging to us. I guess I was hoping that the query conditional would be
passed to each function (add, edit, delete) but that obviously is not the
case. Is multi-tenancy the solution to this issue or are we overlooking
something simple?
--
