After further thought, I've flipped on this. Just create a separate table for casual groups and link it to auth_user in a many-to-many relation table. Call the M2M table user_groups.
Then create the following auth_group records: - user_groups.create - user_groups.read - user_groups.select Then create the following record in the auth_permission table: group: user_groups.create; name: create; table: user_groups Do similar for the other two groups. When a user logs in to the site, check for records in the auth_membership table linking the user to the three groups above. If they do not exist, create them. That will give your casual users the ability to search for groups, read group descriptions and create new groups. If a user registers via the web interface, the user gets a personal group named user_x, where x is the id of the auth_user record. We will use that group to control the user's ability to update and delete groups created by him. When the user creates a group, after the controller inserts the group record, verify that there are records in auth_permission granting his personal group update and delete permissions on the casual groups table. If the records don't exist, create them. Be careful to include the id of the group record just created (form.vars.id) in the records field of the auth_permission record. If that's missing, the user will have table-wide update and delete permissions. That's how I would do it. On Sunday, September 30, 2012 10:44:05 PM UTC-4, Alec Taylor wrote: > > I have built up a social-network wherein users can great groups, users > can join groups and members of groups can RSVP to group events. > > How would you recommend I use web2py's in-built RBAC system to enforce > these rules? — Or should I not use it? > > http://bitbucket.org/SamuelMarks/giantpicnic > > Thanks for all suggestions, > > Alec Taylor > --
