Please can you explain how the id mechanism prevents the problem that I describe.
User A selects record with id=99 that has the following columns/ values: "name" = "Massimo", "town" = "Chicago". User B selects the same record, id=99, "name" = "Massimo", "town" = "Chicago". User B updates the name to "Massimo di Pierro", leaves "town" = "Chicago" and submits the form. The database is updated. User A (on the form displayed prior to user B's action) updates the "town" to "New York" and submits the form. As the id is still 99, the database will be updated and the version on the database will be: id=99, name="Massimo", town="New York" i.e. unknown to both users A and B, user B's action has been silently undone. I have just tested this again and it is what happens. In my suggested solution, the new column (version or timestamp) would have been updated during user B's update and therefore would not match with the value submitted by user A allowing user A's update to fail and providing the opportunity to notify user A as to what had occurred. The purpose of the feature is not to prevent user A from updating the record - he/she just re-displays user B's values, changes them and submits - it is just to prevent user A doing it without knowing. Bill On Oct 15, 2:18 pm, mdipierro <[EMAIL PROTECTED]> wrote: > Not True. > > There is a mechanism to prevent that. SQLFORM for update forms stores > the record id server side. If the use tampers with the form accepts > detects it. > > Massimo > > On Oct 15, 3:59 am, billf <[EMAIL PROTECTED]> wrote: > > > If a user knows the id of a record then, by default, there is nothing > > to stop them deleting a record from the database irrespective of the > > delete checkbox being displayed. For example: > > >http://my_server:my_port/my_application/my_controller/my_action?id=th... > > > I know this is unlikely but in a business situation it seems a bit > > lax. In SQLFORM, deleteable is just used to decide whether to create > > the checkbox or not. Perhaps it should be saved in the form or > > session and checked before actually deleting. > > > Bill --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
