Reputation: 3081
web2py request.args(0) permissions
I'm working on a project, this project must have many users, each user can create for examples many support tickets and he could see them and edit them, but he is not allowed to access any other ticket, which not belong to him so for example :
def edit_ticket():
record = db.e_ticket(request.args(0),active=True) or redirect(URL('error'))
form=crud.update(db.e_ticket,record,next='view_ticket/[id]')
return dict(form=form)
in this way with (request.args(0)) the user can edit every ticket in the system just to change the id to any other id and it will work
edit_ticket/[id]
so i changed the request.args(0) with auth.user_id, it was a great solution as i thought! but when we've many users so only the 1st and 2ed user could edit this thier tickets the next users cannot do that and receive an error when they do this "edit_Ticket/[id]"
Error the document doesn't exist
what should i do to prevent users from bypassing their privilege
Regards
Upvotes: 0
Views: 1516
Answers (3)
Reputation: 25536
Maybe look into using authorization and CRUD (and generally how to set permissions on particular database records).
Note, you can't replace request.args(0) with auth.user_id. request.args(0) is referring to the id of the e_ticket record, not the user id. If the e_ticket table includes a field referencing the user id (e.g., e_ticket.user_id), then you could add user_id=auth.user_id as a condition.
next='view_ticket/[id]'
You should use the URL() function to create URLs -- URL(f='view_ticket',args=[id]). Also, what is [id] supposed to be -- I don't see any reference to id in the code?
Upvotes: 0
Reputation: 3081
it shouldn't be:
db.e_ticket(request.args(0),user_id==auth.user_id,active==True)
but
db.e_ticket(request.args(0),user_id=auth.user_id,active=True) -
because here we're passing function arguments and not query conditions
Upvotes: 1
Reputation: 97331
web2py has buildin user access control. please reference the web2py book:
users should login to edit their ticket, so you can use @auth.requires_login() to decorate edit_ticket(). In edit_ticket() you can check whether the user_id has the ticket_id first.
Upvotes: 0
Related Questions
- Web2Py minimal User authentication (username only)
- web2py - allow external access - how?
- Web2py: is it dangerous to display request.args[0]
- Allow %20 in web2py requests args
- Python: Web2py error handling
- Web2Py getting/posting values
- web2py database configuration
- web2py - python
- Web2py Basic Auth - Authenticated User Info
- Can't figure out Web2py Ticket error