> > @auth.requires(auth.has_membership('Approver') or > auth.has_membership('Admin')) #allowing Admin or Approvers to access
The above will execute the has_membership queries every time the controller is called, even when not accessing the decorated function. To avoid the unnecessary database hits, you can put the condition inside a lambda (so it will only get called when the decorated function is actually accessed): @auth.requires(lambda: auth.has_membership('Approver') or auth. has_membership('Admin')) 1) How do I combine these decorators to include BOTH group membership and > requires_signature() ? > 2) Can I use multiple,separate decorators for a function()? (I am sure not) > Yes, decorators can be stacked: @auth.requires_signature() @auth.requires(some_condition) def myfunc(): ... > 3) It is also possible to add addtional conditions to @auth.requires() > e.g. mytable.department==auth.user.department (for added security!) > Yes, the first argument to @auth.requires() can be any expression -- its truthiness will be evaluated to determine whether access is granted. It can also be a callable, it which case, it will be called and the return value will be evaluated (hence the recommendation above to put the membership checks inside a lambda). > 4) Or maybe there is there is a better way to prevent manual fiddling with > the URL/ARG ? > Digitally signing the URLs is a good method for this. The signature is actually a hash of the URL itself (minus the signature, of course). When the request is made, web2py re-hashes the requested URL and makes sure it matches the signature -- if not, that means the URL was modified, and access is denied. The other option would be to check for permission on the requested record, but the signature is probably the best approach, as it doesn't require another database query to check permission. Anthony -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.