Basically, we are generating a SQLFORM.grid with the following code: db.pages.stores_id.default = STORE_DETAILS.id query = ((db.pages.stores_id == STORE_DETAILS.id)) form = SQLFORM.grid(query=query)
return dict(form=form) This is working perfectly fine for us. However, we have noticed that if we just change the ID in the query string for the edit page, we are allowed to edit other store's entries. IE http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa> .. What is the proper way to do this, then? The grid itself looks great, but just by changing the page ID in the URL, we are allowed to edit pages not belonging to us. I guess I was hoping that the query conditional would be passed to each function (add, edit, delete) but that obviously is not the case. Is multi-tenancy the solution to this issue or are we overlooking something simple? --