Not sure I understand how it can help.
If I got a page for a logged in user: dashboard/my items.
where only my items are displayed. (as filtered by field item creator)
and on each item on the list there is a link to edit the item
manage/item.id.( as with crud upade method.)
then I will have a list:
manage/1
manage/3
manage/4
manage/6
I would still be able to enter:
manage/5
which is not my item.
On Wednesday, September 25, 2013 12:46:04 AM UTC+3, Niphlod wrote:
>
> yep but do not reinvent the wheel: use URL(... user_signature) and
> @auth.requires_signature()
>
> On Tuesday, September 24, 2013 11:03:39 PM UTC+2, Avi A wrote:
>>
>> Thanks a lot, I will check it.
>> I just thought that I could add a args(1) which will be a random number
>> the controller will create and then check if the args(1) == to the var
>> random number it created? Is that the "token" method?
>>
>> On Tuesday, September 24, 2013 11:55:50 PM UTC+3, Niphlod wrote:
>>
>>> check if the t_categories row that the user is loading actually belongs
>>> to him ....
>>>
>>> record = db(db.t_categories.id ==
>>> request.args(0))(db.t_categories.created_by ==
>>> auth.user_id).select().first()
>>> if not record:
>>> redirect(URL('not_authorized'))
>>>
>>> BTW: with SQLFORM.grid it's easier (really).
>>> allowed_records = db.t_categories.created_by == auth.user_id
>>> grid = SQLFORM.grid(allowed_records)
>>>
>>> By default, all links to edit, create, etc are all created with the
>>> signature
>>> web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls ,
>>> so users can't "tamper" playing with request.args
>>>
>>> On Tuesday, September 24, 2013 7:47:39 PM UTC+2, Avi A wrote:
>>>>
>>>> Hi ,
>>>> i want to display a user a list of item tht belongs to him:
>>>> my_items= db(db.t_categories.created_by==auth.user.id
>>>> ).select(db.t_categories.ALL)
>>>> Then allow him to update each item from the list:
>>>> item_update=crud.update(db.t_categories,request.args(0))
>>>> so far so good.
>>>> My problem is on the /args(0) page, I still have to make sure that:
>>>> db.t_categories.created_by==auth.user.id
>>>> I don't know how to inform the controller the var:
>>>> db.t_categories.created_by.
>>>> The ajax function or a different way?
>>>> Thanks.
>>>>
>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
