user_signature in py4web

[mauri...@gmail.com]

In web2py, we have the user_signature=True that helps limit access to various rows or something like that.

e.g.

g = Form.grid(db.article, searchable=True, csv=False, user_signature=True, paginate=50)

I've tried to have the same limits in py4web but all data is easily accessible to all users accessing the db. How can I limit it to only the author of the data?

Using the filed constructor 'authorize' doesn't change much. In this tutorial on row based access control, it looks like all users still have access but with limited actions.

Regards

[mauri...@gmail.com]

my try is:

@action('listing', method=["GET", "POST"])
@action('listing/<path:path>', method=["GET", "POST"])
@action.uses('blog_articles/listing.html',db, auth.user)
def listing(path=None):
    if not 'author' in groups.get(auth.get_user()['id']):
        redirect(URL('allow_error'))
    else:
        left = db.article_listing.on(db.article_listing.id == db.auth_user.id)
        query=db.article_listing.id > 0
       
        grid = Grid(
            path,
            query=query,
            columns=[db.article_listing.id,db.article_listing.blog_title, db.article_listing.article_details, db.article_listing.posted_on],
            search_form=None,
            show_id=True,
            rows_per_page=20,
            editable=True, deletable=True, details=False, create=True,
            grid_class_style=GridClassStyleBulma,
            formstyle=FormStyleBulma,
            search_queries=[
                ['By Title', lambda val: db.article_listing.blog_title.contains(val)]],field_id=db.article_listing.id, left=left)
    return dict(grid=grid)

N/B

All users are in the 'author' group

[Massimo DiPierro]

at this time py4web does not use fieldl.authorize. should it support it?

--
You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/c71b6e78-bad6-4b35-a241-8fdb1b75ac6cn%40googlegroups.com.

[Maurice Waka]

I'd like to have it. As well it could be modified along depending on users.

Regards 

[Massimo]

Let's discuss how it should behave. In py4web this was used by the download action. py4web does not have it. Should this be used by the grid only? Should it be thread safe (can actions set/modify authorize or should be global)?

[Massimo]

Also.. lets consider this. There are lots of features of web2py that I liked (authorize is one of them) but that almost nobody used. The result is that we ended up maintaining obscure functions when there was a more explicit way to do it.

Is this the case here?

For example nothing prevents developers from defining their own download actions, with whatever logic they want to and link them from the grid?

Isn't this more flexible and explicit than using authorized?

Massimo

[mauri...@gmail.com]

Its true, most features rarely get used.

There are many who have their own defined functions/actions but defining it to be global would be a good idea.

My experience is in grid/SQLFORM.smartgrid....on the other hand, grid only would be a good start.

[Jim Steil]

What features are you missing in grid?  We made no attempt to mimic smartgrid.  Personally, I don't see the need.  I'm using grid in htmx divs on my details page to list related records.  It isn't as convenient or 'automatic' as smartgrid, but I feel it provides a nice user interface.

-Jim