The "proper" way would be to define "scopes" in your application. Scopes
define who has access to which data.
You can also call it roles or tags or whatever.
Scopes is the term that is used by OAuth/OpenID connect, which is usually
used to secure APIs.
Normally you would get an OpenID (OIDC) ID Token as JWT when you login.
Once you have that you would read that tokens contents and look for the
scopes in the token and match those scopes with which the user shall access
your data.
Similiar to what you did here with the workaround to match the user.id to
the data.
I suppose you can extend this examlple/workaround to used custom auth
fields or the roles fields provided by web2py.
Some applications dont use scopes but so called claims from the JWT token.
Claims is extra info about a user such as first, lastname phonenumber etc.
that can be extracted from the token.
They put user roles in the tokens claims and match them with the
applications rest api against the database.
Similair to what you did.
But claims are not supposed to be used for that normally, that is what
scopes are for.
Claims are just used to "contextualize" a reqiest for the API i.e. fetch
relevant information for the requestor if the requestor is for example from
Europe fetch all infos for Europeans from the database,
if from another continent, fetch other data.
I have not seen Web2py used in this way, but there you go.
Just though this info may be interesting.
I found this example / workaorund super useful.
Will also use it :).
Seems to just get the job done quickly.
On Wed, May 27, 2020 at 6:18 PM Jacinto Parga <jpar...@gmail.com> wrote:
> Hello,
>
> I used this workaround in a similar case:
>
> @auth.requires_login()
> @request.restful()
> def myapi():
> def GET():
> response.view = 'generic.json'
> myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe
> in your case mytable.user_id==auth.user.id
> if myreg:
> return dict(myreg=myreg)
> else:
> data ='{"Result" : "Still empty"}'
> return data
> return dict(GET=GET)
>
>
>
> El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov
> escribió:
>>
>> Hello,
>>
>> How can I restrict access via RestAPI for the user such that they can
>> only get their own records (those that have the field user_id matching
>> their user id)?
>>
>> For example, I have a a table named 'collections' that has a 'user_id'
>> field, and I want my users to get only the collections that they created.
>>
>> If they try to get someone else's collection, then they should get a 'not
>> authorized' response.
>>
>> As an extension, I would also like to allow for users to be able to get
>> someone else's collection if its status is equal to 'PUBLIC'.
>>
>> Here's the definition of my collections table:
>>
>> db.define_table('collections',
>> Field('user_id', db.auth_user, notnull=True),
>> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code',
>> db.language._format), notnull=True),
>> Field('title', length=512, notnull=True),
>> Field('description', 'text', notnull=False),
>> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True,
>> default='PRIVATE'),
>> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True,
>> default='NONE'))
>>
>> Thanks,
>>
>> --
>> Alexei
>>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com
> <https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/CADHCKLSFWgpUxn1khMyow3U23ZeUi%2Byd9o%3Dk5d9WGc2syOhPJA%40mail.gmail.com.
