Detecting changes to auth_user record of logged in user.

57 views
Skip to first unread message

Michael Ellis

unread,
Oct 6, 2016, 6:15:02 PM10/6/16
to web2py-users

 I have the following code as a json service for changing user privileges.  This app doesn't need the fine-grained control of Web2py RBAC so I've added an integer userlevel field to auth_user.  It mostly works as intended except when a logged in user alters her own userlevel.  The change isn't detected unless she logs out and then back in.  I understand this is because the auth.user record is cached in the session.  What's the right way to update a logged in user whose auth_user record may have changed?

@service.json
def set_user_group():
    """
    Changes a user's group (userlevel)
    Args:
        first_name,last_name, newgroup in request.args
    Returns: error message if auth fails
    Raises:  Nothing
    """
    err = None
    if auth.is_logged_in() and auth.user.userlevel >=  2:
        # Ok to change it
        first, last, newgroup = tuple(request.args)[-3:]
        tbl = db.auth_user
        qry = ((tbl.first_name == first) & (tbl.last_name == last))
        rows = db(qry).select()
        assert len(rows) <= 1  ## should be impossible to have duplicate names
        if len(rows) == 0:
            err = "User '{} {}' not found in database!".format(first, last)
        else:
            id = rows[0][tbl.id]
            newlevel = dict(user=0, tech=1, admin=2)[newgroup.lower()]
            db(tbl.id == id).update(userlevel=newlevel)
    else:
        err = "Changing user groups requires log-in with admin privileges"
    return dict(msg=err)               


Marlysson Silva

unread,
Oct 7, 2016, 8:27:10 AM10/7/16
to web2py-users
Isn't because you are putting the level user hardcoded? There after that user change own level , the verification don't works more.

1. If you want that user name are unique mark at table the field with validator unique=True
2. The size of rows returned could be made with count() , db(query).count()

Michael Ellis

unread,
Oct 7, 2016, 10:16:23 AM10/7/16
to web2py-users
Thanks, Marlysson. I understand why it's going wrong when the user changes their own level.  My question was aimed a finding out if web2py had a convenience function to refresh auth.user from db.auth_user.  Otherwise I have to use an ugly construct like:

    try:
        aid = auth.user.id # raises AttributeError if not logged in.
        authlevel = db(db.auth_user.id == aid).select()[0].userlevel
    except AttributeError:
        authlevel = 0        

Anthony

unread,
Oct 7, 2016, 10:31:52 AM10/7/16
to web2py-users
Have you tried adding:

    auth.user.update(userlevel=newlevel)

Anthony

Michael Ellis

unread,
Oct 7, 2016, 11:53:10 AM10/7/16
to web2py-users
Thanks, Anthony. That works nicely.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/BwEGtzUkJhY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages