Thanks, pbreit, for the answer! Actually each record in the table has different read permissions: some of them could be read by one user, others by other users.
For the fields, other than 'upload' type the web2py authorization scheme works fine, but unfortunately for 'upload' field type - according to the documentation - the only way is to set a function for db.<table_name>.<field_name>.authorization = <lambda_with_auth_code>. In my case the lambda function is not working. Is there any way to find the tablename.fieldname (in my case uploads.document) and the requested record id within the download function? This way I could check the current user permissions against the particular record id. On Aug 8, 8:01 pm, pbreit <pbreitenb...@gmail.com> wrote: > If you want to password protect the download, you need to decorate it: > > @auth.requires_login() > def download(): > ... > > If you want to make sure only the owner can download it, you would need some > additional code (db.uploads.created_by==auth.user_id).
