On Wednesday, November 4, 2015 at 5:47:07 PM UTC-5, Alex Glaros wrote: > > oops, regarding security, you're right Anthony. Users could walk the URL > address. Is this better? Seems to work... > > @auth.requires(lambda: not db((db.auth_membership.user_id == auth.user_id) > & (db.auth_membership.group_id == db.auth_group.id) & (db.auth_group.role > == request.get_vars.specificObjectID) & (db.auth_group.organizationID == > request.get_vars.specificOrganizationID)).isempty()) >
I don't know on what basis you are trying to restrict access. Based on the above, someone could still construct a URL that includes any auth_group.role that they know they belong to. If you're OK with that, then that's fine, but it is equivalent to allowing access to anyone who has any Auth role whatsoever. In general, it seems odd to determine which roles are allowed access based on roles sent as user input. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
