We did something similar but it feels very hackish, considering it has
to be done in every method of the admin controller. I just wanted to
see if there was a better way.
Thank you.
Kevin Cackler
Tech Daddies
501-205-1512
http://www.techdaddies.com
On 9/5/2012 7:45 PM, Bruno Rocha wrote:
You can do:
if request.args(0) in ['edit', 'delete']:
STORE_DETAILS.id == int(request.args(2)) or
redirect(URL('default', 'wherever'))
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
return dict(form=form)
On Wed, Sep 5, 2012 at 9:38 PM, Kevin C <ke...@techdaddies.com
<mailto:ke...@techdaddies.com>> wrote:
Basically, we are generating a SQLFORM.grid with the following code:
db.pages.stores_id.default = STORE_DETAILS.id
query = ((db.pages.stores_id == STORE_DETAILS.id))
form = SQLFORM.grid(query=query)
return dict(form=form)
This is working perfectly fine for us. However, we have noticed
that if we just change the ID in the query string for the edit
page, we are allowed to edit other store's entries.
IE
http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.
<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa>..
What is the proper way to do this, then? The grid itself looks
great, but just by changing the page ID in the URL, we are allowed
to edit pages not belonging to us. I guess I was hoping that the
query conditional would be passed to each function (add, edit,
delete) but that obviously is not the case. Is multi-tenancy the
solution to this issue or are we overlooking something simple?
--
--
--
