Hello, yes you are right.
Are these tools not enough for the aproach of "scopes" http://web2py.com/books/default/chapter/29/09/access-control#Authorization and http://web2py.com/books/default/chapter/29/09/access-control#Decorators ? I mean you are talking about allow certain users to certain information in some tables. You are talking about access control and permissions. Something like the example in the book: Assuming the following definitions: >>> from gluon.tools import Auth >>> auth = Auth(db) >>> auth.define_tables() >>> secrets = db.define_table('secret_document', Field('body')) >>> james_bond = db.auth_user.insert(first_name='James', last_name='Bond') Here is an example: >>> doc_id = db.secret_document.insert(body = 'top secret') >>> agents = auth.add_group(role = 'Secret Agent') >>> auth.add_membership(agents, james_bond) >>> auth.add_permission(agents, 'read', secrets) >>> print auth.has_permission('read', secrets, doc_id, james_bond) True >>> print auth.has_permission('update', secrets, doc_id, james_bond) False @auth.requires_permission('read', secrets) def function_four(): return 'you can read secret documents' El miércoles, 27 de mayo de 2020, 19:03:07 (UTC+2), Kevin Keller escribió: > > The "proper" way would be to define "scopes" in your application. Scopes > define who has access to which data. > You can also call it roles or tags or whatever. > Scopes is the term that is used by OAuth/OpenID connect, which is usually > used to secure APIs. > > Normally you would get an OpenID (OIDC) ID Token as JWT when you login. > Once you have that you would read that tokens contents and look for the > scopes in the token and match those scopes with which the user shall access > your data. > Similiar to what you did here with the workaround to match the user.id to > the data. > I suppose you can extend this examlple/workaround to used custom auth > fields or the roles fields provided by web2py. > > Some applications dont use scopes but so called claims from the JWT token. > Claims is extra info about a user such as first, lastname phonenumber etc. > that can be extracted from the token. > They put user roles in the tokens claims and match them with the > applications rest api against the database. > Similair to what you did. > > But claims are not supposed to be used for that normally, that is what > scopes are for. > Claims are just used to "contextualize" a reqiest for the API i.e. fetch > relevant information for the requestor if the requestor is for example from > Europe fetch all infos for Europeans from the database, > if from another continent, fetch other data. > > I have not seen Web2py used in this way, but there you go. > Just though this info may be interesting. > > I found this example / workaorund super useful. > > Will also use it :). > > Seems to just get the job done quickly. > > > > > > On Wed, May 27, 2020 at 6:18 PM Jacinto Parga <jpa...@gmail.com > <javascript:>> wrote: > >> Hello, >> >> I used this workaround in a similar case: >> >> @auth.requires_login() >> @request.restful() >> def myapi(): >> def GET(): >> response.view = 'generic.json' >> myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe >> in your case mytable.user_id==auth.user.id >> if myreg: >> return dict(myreg=myreg) >> else: >> data ='{"Result" : "Still empty"}' >> return data >> return dict(GET=GET) >> >> >> >> El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov >> escribió: >>> >>> Hello, >>> >>> How can I restrict access via RestAPI for the user such that they can >>> only get their own records (those that have the field user_id matching >>> their user id)? >>> >>> For example, I have a a table named 'collections' that has a 'user_id' >>> field, and I want my users to get only the collections that they created. >>> >>> If they try to get someone else's collection, then they should get a >>> 'not authorized' response. >>> >>> As an extension, I would also like to allow for users to be able to get >>> someone else's collection if its status is equal to 'PUBLIC'. >>> >>> Here's the definition of my collections table: >>> >>> db.define_table('collections', >>> Field('user_id', db.auth_user, notnull=True), >>> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', >>> db.language._format), notnull=True), >>> Field('title', length=512, notnull=True), >>> Field('description', 'text', notnull=False), >>> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull= >>> True, default='PRIVATE'), >>> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, >>> default='NONE')) >>> >>> Thanks, >>> >>> -- >>> Alexei >>> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com >> >> <https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/c55b7133-868e-46c8-a015-4613f33b5f51%40googlegroups.com.
