Hello, I am relatively new to web2py. I think it's terrific, but I am still
learning.
Hopefully I will become expert enough to contribute answers:-)
For now, despite research, I am still unclear on the use of the @auth
decorators, and am seeking advice, please?
I have built an application for multiple departments to use. Each
department has 3 levels of user: 'User', 'Approver' and 'Admin'. Each level
of user gets a different menu and accesses only function()s that they are
authorized to use.
The records for each department are to be kept totally separate (and
invisible) from anyone in a different department (for security).
I have built a "sort of multi-tenant" application, where users can add and
edit records, but
1) they can ONLY access records for their department
and 2) they can ONLY access function()s for their Level.
A) To control access to the records, I have included a "department" field
in each table and a "department" field in db.auth_user. Every query where
there is a form (like an SQLFORM or SQLFORM.grid) includes:
"&(mytable.department==auth.user.department)".
B) To control access to the functions()s, I have used these decorators:
@auth.requires_login() #allowing any person logged in to access
or
@auth.requires(auth.has_membership('Approver') or
auth.has_membership('Admin')) #allowing Admin or Approvers to access
or
@auth.requires_membership('Admin') #allowing only Admin people to access
The decorators work fine - but created a small issue where (for example) to
edit a record I pass the user to a function() with an ARG=record_ID e.g. to
a page with a form; but the user could simply overtype the ARG in the URL
with a different record_ID and be able to access that record (which may be
outside of their department).
So, I digitally signed all URLs, and replaced the decorators with
@auth.requires_signature()
This solved the issue. i.e. if a user fiddles with the ARG in the URL, they
get "not authorized".
Although this might not be the explicit intention of
@auth.requires_signature(), it works:-)
Here is my problem: I have replaced the original group-membership
decorators with @auth.requires_signature()
Ideally, I need to combine @auth.requires_signature() with other decorators
e.g. @auth.requires(auth.has_membership('Approver') or
auth.has_membership('Admin'))
However, because @auth.requires_signature() is itself a decorator, I cannot
include this in an @auth.requires(.....) decorator.
So:-
1) How do I combine these decorators to include BOTH group membership and
requires_signature() ?
2) Can I use multiple,separate decorators for a function()? (I am sure not)
3) It is also possible to add addtional conditions to @auth.requires() e.g.
mytable.department==auth.user.department (for added security!)
4) Or maybe there is there is a better way to prevent manual fiddling with
the URL/ARG ?
BTW - I am running 2.3.2, and still a relative novice.
Thanks for reading a long question:-)
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
