web2py, creating a form with dropdown of thing a user own to choose from

Question

Consider the auth_user table, a simple song table and a owner table. Consider a song has only one author which is the logged in user and can be own by only one owner. Also consider that a user can have many known potential owners.

Owner table:

db.define_table(
    'owner',
    Field('user_id', 'reference auth_user'),
    Field('name'),
    Field('first_name'),
    Field('telephone'),
    format = '%(name)s, %(first_name)s'
    )

song table

db.define_table(
    'song',
    Field('user_id', 'reference auth_user'),
    Field('owner_id', 'reference owner', requires=IS_EMPTY_OR(IS_IN_DB(db, db.owner.id))),
    Field('name'),
    Field('description', 'text'),
    )

Consider a simple function in a controller:

def create():
    form = SQLFORM(db.song).process(next=URL('index'))
    return dict(form=form)

I am trying to create a form were a user can assign a known owner to a song. Sadly right now a user can assign other user's known owner to their song.

What should I do to make sure the form only list the user's known owner? Is there a way to enforce this at the database layer to prevent against id injection and owner_id fishing?

Thank you,

Answer 1

The first argument to IS_IN_DB can be a DAL Set object defining a subset of records:

requires=IS_EMPTY_OR(IS_IN_DB(db(db.owner.user_id == auth.user_id),
                              db.owner.id, db.owner._format))

That will limit the list of db.owner records to those with user_id equal to that of the current logged in user (i.e., auth.user_id).

You might also want to decorate the create() function with @auth.requires_login(), since the current user is only known to the app if logged in.