web2py request.args(0) 权限
我正在做一个项目, 该项目必须有许多用户,例如每个用户可以创建许多支持票证,他可以查看它们并编辑它们,但不允许他访问任何其他不属于他的票证 例如:
def edit_ticket():
record = db.e_ticket(request.args(0),active=True) or redirect(URL('error'))
form=crud.update(db.e_ticket,record,next='view_ticket/[id]')
return dict(form=form)
通过这种方式(request.args(0)),用户可以编辑系统中的每个票证,只需将 id 更改为任何其他 id,它就会起作用 edit_ticket/[id]
所以我用 auth.user_id 更改了 request.args(0) ,正如我所想,这是一个很好的解决方案!但是当我们有很多用户时,只有第一个和第二个用户可以编辑这个票证,下一个用户就不能这样做,并且在执行“edit_Ticket/[id]”时收到错误,
Error the document doesn't exist
我应该做什么来防止用户绕过他们的票证特权
问候
I'm working on a project,
this project must have many users, each user can create for examples many support tickets and he could see them and edit them, but he is not allowed to access any other ticket, which not belong to him
so for example :
def edit_ticket():
record = db.e_ticket(request.args(0),active=True) or redirect(URL('error'))
form=crud.update(db.e_ticket,record,next='view_ticket/[id]')
return dict(form=form)
in this way with (request.args(0)) the user can edit every ticket in the system just to change the id to any other id and it will work
edit_ticket/[id]
so i changed the request.args(0) with auth.user_id, it was a great solution as i thought! but when we've many users so only the 1st and 2ed user could edit this thier tickets the next users cannot do that and receive an error when they do this "edit_Ticket/[id]"
Error the document doesn't exist
what should i do to prevent users from bypassing their privilege
Regards
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
它不应该是:
db.e_ticket(request.args(0),user_id==auth.user_id,active==True)
而是
db.e_ticket(request.args(0) ,user_id=auth.user_id,active=True) -
因为这里我们传递函数参数而不是查询条件
it shouldn't be:
db.e_ticket(request.args(0),user_id==auth.user_id,active==True)but
db.e_ticket(request.args(0),user_id=auth.user_id,active=True)-because here we're passing function arguments and not query conditions
web2py 具有内置的用户访问控制。请参考 web2py 书籍:
用户应该登录才能编辑他们的票证,这样您就可以使用@auth.requires_login()来装饰edit_ticket()。在edit_ticket()中,您可以先检查user_id是否具有ticket_id。
web2py has buildin user access control. please reference the web2py book:
users should login to edit their ticket, so you can use @auth.requires_login() to decorate edit_ticket(). In edit_ticket() you can check whether the user_id has the ticket_id first.
也许可以考虑使用授权和CRUD(通常如何设置特定数据库记录的权限)。
请注意,您不能将
request.args(0)替换为auth.user_id。request.args(0)指的是电子客票记录的 id,而不是用户 id。如果 e_ticket 表包含引用用户 ID 的字段(例如 e_ticket.user_id),则您可以添加user_id=auth.user_id作为条件。您应该使用
URL()函数创建 URL -URL(f='view_ticket',args=[id])。另外,[id]应该是什么——我在代码中没有看到任何对id的引用?Maybe look into using authorization and CRUD (and generally how to set permissions on particular database records).
Note, you can't replace
request.args(0)withauth.user_id.request.args(0)is referring to the id of the e_ticket record, not the user id. If the e_ticket table includes a field referencing the user id (e.g., e_ticket.user_id), then you could adduser_id=auth.user_idas a condition.You should use the
URL()function to create URLs --URL(f='view_ticket',args=[id]). Also, what is[id]supposed to be -- I don't see any reference toidin the code?