The easiest way is this: say you have db.define_table('data',Field('something'),Field('created_by',db.auth,default=auth.user_id,writable=False))
make sure to filter recods with db(db.data.created_by==auth.user_id) before you list them. and if not db.data[record_id].created_by==auth.user_id: redirect(some error page). You can use curd.settings.auth : # require permissions for every action crud.settings.auth.auth # give ervybody permission to create 'data' records auth.settings.register_onaccept=lambda form: auth.add_permission(auth.user_group(form.vars.id),'create','data') # give users all permission on records they create def give_permission(form): for name in ('read','update','select','delete'): auth.add_permission(auth.user_group(),name,form.table,form.vars.id) crud.settings.create_onaccept=give_permission On May 10, 5:55 pm, greenpoise <danel.sega...@gmail.com> wrote: > Ok. Let me explain it better. I am trying to build an app. where > inspectors (construction) will entered gathered data. The thing is > that the inspectors are from different companies. I want the different > companies to see what they have gathered only. > > Example: > Company A can only see what they gathered and entered > Company B can only see what they gathered and entered. > > Right now users can log (no matter which company) and see all the > data, so I am missing something. Is it in the authentication? or is it > in the sql logic of it?? > > Thanks > > d > > On May 10, 4:58 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > Do you mean you want to limit which fields will be visible to users > > when they register and edit their profile? > > > You need to use a custom auth_user table and set writable=False for > > those fields they cannot edit, and readable=False for those that > > should not be visible. For example: > > > db.define_table('auth_user', > > Field('first_name', length=512,default=''), > > Field('last_name', length=512,default=''), > > Field('username',length=32,default='', > > > requires=(IS_NOT_EMPTY(),IS_NOT_IN_DB(db,'auth_user.username'))), > > Field('email', length=512,default='', > > > requires=(IS_EMAIL(),IS_NOT_IN_DB(db,'auth_user.email'))), > > Field('password', 'password', readable=False, > > label='Password', > > requires=[CRYPT(auth.settings.hmac_key)]), > > > Field('is_admin','boolean',default=True,readable=False,writable=False), > > Field('registration_key', length=512,writable=False, > > readable=False,default=''), > > Field('reset_password_key', length=512,writable=False, > > readable=False, default='', > > label=auth.messages.label_reset_password_key), > > ) > > > As you can see is_admin is not readable and writable. > > auth.define_tables() # creates all needed > > tables > > > On May 10, 12:39 pm, greenpoise <danel.sega...@gmail.com> wrote: > > > > Whenever I use authentication on its basic form: > > > > 1. Any user can register something I do not want. > > > 2. Any user can see all the data > > > > I want to be more specific and have control of the registration > > > process as to where I create the users and group they pertain to and > > > hence look at their specific data only. Where is this defined? within > > > the Authentication/Groups or do I have to add another specifying > > > field?? I read the Authentication part of the book but I simply dont > > > know how to tackle this problem. > > > > Also while at it, is it a good practice to use the same database for > > > different clients? > > > > Thanks