Thanks a lot, I will check it.
I just thought that I could add a args(1) which will be a random number the
controller will create and then check if the args(1) == to the var random
number it created? Is that the "token" method?
On Tuesday, September 24, 2013 11:55:50 PM UTC+3, Niphlod wrote:
> check if the t_categories row that the user is loading actually belongs to
> him ....
>
> record = db(db.t_categories.id ==
> request.args(0))(db.t_categories.created_by ==
> auth.user_id).select().first()
> if not record:
> redirect(URL('not_authorized'))
>
> BTW: with SQLFORM.grid it's easier (really).
> allowed_records = db.t_categories.created_by == auth.user_id
> grid = SQLFORM.grid(allowed_records)
>
> By default, all links to edit, create, etc are all created with the
> signature
> web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls ,
> so users can't "tamper" playing with request.args
>
> On Tuesday, September 24, 2013 7:47:39 PM UTC+2, Avi A wrote:
>>
>> Hi ,
>> i want to display a user a list of item tht belongs to him:
>> my_items= db(db.t_categories.created_by==auth.user.id
>> ).select(db.t_categories.ALL)
>> Then allow him to update each item from the list:
>> item_update=crud.update(db.t_categories,request.args(0))
>> so far so good.
>> My problem is on the /args(0) page, I still have to make sure that:
>> db.t_categories.created_by==auth.user.id
>> I don't know how to inform the controller the var:
>> db.t_categories.created_by.
>> The ajax function or a different way?
>> Thanks.
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
