Not True. There is a mechanism to prevent that. SQLFORM for update forms stores the record id server side. If the use tampers with the form accepts detects it.
Massimo On Oct 15, 3:59 am, billf <[EMAIL PROTECTED]> wrote: > If a user knows the id of a record then, by default, there is nothing > to stop them deleting a record from the database irrespective of the > delete checkbox being displayed. For example: > > http://my_server:my_port/my_application/my_controller/my_action?id=th... > > I know this is unlikely but in a business situation it seems a bit > lax. In SQLFORM, deleteable is just used to decide whether to create > the checkbox or not. Perhaps it should be saved in the form or > session and checked before actually deleting. > > Bill --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
