You can do:
if request.args(0) in ['edit', 'delete']:
STORE_DETAILS.id == int(request.args(2)) or redirect(URL('default',
'wherever'))
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
return dict(form=form)
On Wed, Sep 5, 2012 at 9:38 PM, Kevin C <ke...@techdaddies.com> wrote:
> Basically, we are generating a SQLFORM.grid with the following code:
>
> db.pages.stores_id.default = STORE_DETAILS.id
> query = ((db.pages.stores_id == STORE_DETAILS.id))
> form = SQLFORM.grid(query=query)
>
> return dict(form=form)
>
> This is working perfectly fine for us. However, we have noticed that if
> we just change the ID in the query string for the edit page, we are allowed
> to edit other store's entries.
>
> IE
> http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa>
> ..
>
> What is the proper way to do this, then? The grid itself looks great, but
> just by changing the page ID in the URL, we are allowed to edit pages not
> belonging to us. I guess I was hoping that the query conditional would be
> passed to each function (add, edit, delete) but that obviously is not the
> case. Is multi-tenancy the solution to this issue or are we overlooking
> something simple?
>
> --
>
>
>
>
--
