did you read the book link I gave you ? If yes, and if you actually tried, you wouldn't ask this question :-P Signed URLs means that everybody won't be able to access manage/5 unless they pass the correct signature, that is quite impossible to guess in advance
If you don't want to use signed urls, fine. Check that the user owns the record with the query I gave you on my first reply. On Wednesday, September 25, 2013 12:06:14 AM UTC+2, Avi A wrote: > > Not sure I understand how it can help. > If I got a page for a logged in user: dashboard/my items. > where only my items are displayed. (as filtered by field item creator) > and on each item on the list there is a link to edit the item > manage/item.id.( as with crud upade method.) > then I will have a list: > manage/1 > manage/3 > manage/4 > > manage/6 > > I would still be able to enter: > manage/5 > which is not my item. > > > On Wednesday, September 25, 2013 12:46:04 AM UTC+3, Niphlod wrote: >> >> yep but do not reinvent the wheel: use URL(... user_signature) and >> @auth.requires_signature() >> >> On Tuesday, September 24, 2013 11:03:39 PM UTC+2, Avi A wrote: >>> >>> Thanks a lot, I will check it. >>> I just thought that I could add a args(1) which will be a random number >>> the controller will create and then check if the args(1) == to the var >>> random number it created? Is that the "token" method? >>> >>> On Tuesday, September 24, 2013 11:55:50 PM UTC+3, Niphlod wrote: >>> >>>> check if the t_categories row that the user is loading actually belongs >>>> to him .... >>>> >>>> record = db(db.t_categories.id == >>>> request.args(0))(db.t_categories.created_by == >>>> auth.user_id).select().first() >>>> if not record: >>>> redirect(URL('not_authorized')) >>>> >>>> BTW: with SQLFORM.grid it's easier (really). >>>> allowed_records = db.t_categories.created_by == auth.user_id >>>> grid = SQLFORM.grid(allowed_records) >>>> >>>> By default, all links to edit, create, etc are all created with the >>>> signature >>>> web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls, so >>>> users can't "tamper" playing with request.args >>>> >>>> On Tuesday, September 24, 2013 7:47:39 PM UTC+2, Avi A wrote: >>>>> >>>>> Hi , >>>>> i want to display a user a list of item tht belongs to him: >>>>> my_items= db(db.t_categories.created_by==auth.user.id >>>>> ).select(db.t_categories.ALL) >>>>> Then allow him to update each item from the list: >>>>> item_update=crud.update(db.t_categories,request.args(0)) >>>>> so far so good. >>>>> My problem is on the /args(0) page, I still have to make sure that: >>>>> db.t_categories.created_by==auth.user.id >>>>> I don't know how to inform the controller the var: >>>>> db.t_categories.created_by. >>>>> The ajax function or a different way? >>>>> Thanks. >>>>> >>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.