[web2py] Re: RestAPI: how to restrict query results to data belonging to logged in user?

Wed, 27 May 2020 09:18:25 -0700 

Hello, 

I used this workaround in a similar case:

@auth.requires_login()
@request.restful()
def myapi():
    def GET():
        response.view = 'generic.json'
        myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe in 
your case mytable.user_id==auth.user.id
        if myreg:
            return dict(myreg=myreg)
        else:
            data ='{"Result" : "Still empty"}'
            return data
    return dict(GET=GET)



El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov escribió:
>
> Hello,
>
> How can I restrict access via RestAPI for the user such that they can only 
> get their own records (those that have the field user_id matching their 
> user id)?
>
> For example, I have a a table named 'collections' that has a 'user_id' 
> field, and I want my users to get only the collections that they created.
>
> If they try to get someone else's collection, then they should get a 'not 
> authorized' response.
>
> As an extension, I would also like to allow for users to be able to get 
> someone else's collection if its status is equal to 'PUBLIC'.
>
> Here's the definition of my collections table:
>
> db.define_table('collections',
> Field('user_id', db.auth_user, notnull=True),
> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', 
> db.language._format), notnull=True),
> Field('title', length=512, notnull=True),
> Field('description', 'text', notnull=False),
> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True, 
> default='PRIVATE'),
> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, 
> default='NONE'))
>
> Thanks,
>
> --
> Alexei
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com.

Reply via email to