How about http://web2py.com/books/default/chapter/29/06#Common-filters or http://web2py.com/books/default/chapter/29/06#Common-fields-and-multi-tenancy ?
Anthony On Wednesday, September 5, 2012 8:48:49 PM UTC-4, Kevin C wrote: > > We did something similar but it feels very hackish, considering it has > to be done in every method of the admin controller. I just wanted to see > if there was a better way. > > Thank you. > > Kevin Cackler > Tech Daddies > 501-205-1512http://www.techdaddies.com > > On 9/5/2012 7:45 PM, Bruno Rocha wrote: > > You can do: > > if request.args(0) in ['edit', 'delete']: > STORE_DETAILS.id == int(request.args(2)) or > redirect(URL('default', 'wherever')) > > db.pages.stores_id.default = STORE_DETAILS.id > query = ((db.pages.stores_id == STORE_DETAILS.id)) > form = SQLFORM.grid(query=query) > > return dict(form=form) > > > > On Wed, Sep 5, 2012 at 9:38 PM, Kevin C <[email protected]<javascript:> > > wrote: > >> Basically, we are generating a SQLFORM.grid with the following code: >> >> db.pages.stores_id.default = STORE_DETAILS.id >> query = ((db.pages.stores_id == STORE_DETAILS.id)) >> form = SQLFORM.grid(query=query) >> >> return dict(form=form) >> >> This is working perfectly fine for us. However, we have noticed that >> if we just change the ID in the query string for the edit page, we are >> allowed to edit other store's entries. >> >> IE >> http://test.oursite.com/test/admin/pages/edit/pages/6?_signature=f8c5560743.<http://test.shofty.com/shofty/admin/pages/edit/pages/6?_signature=f8c55607435864253b5f5b37a6b7109956e4a8fa> >> .. >> >> What is the proper way to do this, then? The grid itself looks great, >> but just by changing the page ID in the URL, we are allowed to edit pages >> not belonging to us. I guess I was hoping that the query conditional would >> be passed to each function (add, edit, delete) but that obviously is not >> the case. Is multi-tenancy the solution to this issue or are we >> overlooking something simple? >> -- >> >> >> >> > > > -- > > > > > > --
