Home/ Questions/Q 6322485
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T16:20:24+00:00

I’m working on a project, this project must have many users, each user can

  • 0

I’m working on a project,
this project must have many users, each user can create for examples many support tickets and he could see them and edit them, but he is not allowed to access any other ticket, which not belong to him
so for example :

def edit_ticket():
    record = db.e_ticket(request.args(0),active=True) or redirect(URL('error'))
    form=crud.update(db.e_ticket,record,next='view_ticket/[id]')
    return dict(form=form)

in this way with (request.args(0)) the user can edit every ticket in the system just to change the id to any other id and it will work
edit_ticket/[id]

so i changed the request.args(0) with auth.user_id, it was a great solution as i thought! but when we’ve many users so only the 1st and 2ed user could edit this thier tickets the next users cannot do that and receive an error when they do this “edit_Ticket/[id]”

Error the document doesn't exist

what should i do to prevent users from bypassing their privilege

Regards

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    it shouldn’t be:

    db.e_ticket(request.args(0),user_id==auth.user_id,active==True)

    but

    db.e_ticket(request.args(0),user_id=auth.user_id,active=True)

    because here we’re passing function arguments and not query conditions

    • 0