I have this page from the edit button of the child. http://127.0.0.1:8000/web_ocms/amc/new_contract/amc_master/amc_details.amc_id/17/edit/amc_details/10 Here 17 is the id of the master and 10 is the id of the child. I have set common_filter in controller so that the records of master and child belonging to the logged in user is listed in grid. So in controller I check the master id and child id and if not of the user I raise a flash tampering not allowed and redirect to the master grid. So far OK. But now if 17 and 10 are tampered to say 20 and 25 and the new record also belongs to the user the form show the record to edit. I would like that the tampering of url not be allowed. That is if one clicks the edit button and gets the above url I should allow processing only with 17 and 10 and not any other record. Thanks for suggestions.
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
