I would like to restrict users to database entries only they have created. Is their any standard web2py way of doing this?开发者_如何学C auth.requires_permission looked good, but it appears to require a hard-coded row id, which doesn't solve my problem.
This shouldn't be handled by web2py. Your database is supposed to handle user permissions for this, so you will need to look in the documentation for the db backend you are using.
Also, if everyone has a separate user account on your front end that all connect to a single database user, then you won't be able to control the permissions at all without a bunch of independent "security" code added on top of and around your database. For instance, a table in the database that looks at a field supplied by web2py when it connects to determine the "user" and then set the hand coded privileges accordingly. Databases have users for this very reason.
You can do that using CRUD
http://web2py.com/book/default/chapter/08#Authorization-and-CRUD
You can define permissions for each record, with a little bit of code you will be able to set permission defaults to the user group id at the time of record creation.
Add a 'created_by' field in the db. Insert the user id when inserting the record. Use this to filter while selecting.
Perhaps give common filters a try: http://web2py.com/books/default/chapter/29/06?search=common+filter#Common-filters
db.some_table._common_filter = lambda query: db.some_table.created_by == auth.user.id
Use a callback on delete function and return True if the user did not create the row.
db.some_table._bedfore_delete = lambda query: False if db.some_table.created_by == auth.user_id else True
精彩评论