Web2py includes, out of the box, a basic registration and login mechanism.
What’s missing is you saying what pages should be accessible to which users. There are two components to this. First is removing menu items based on the user or their status, and the second is disallowing access to pages based on the user or their status.
The fact is that even if you don’t provide a menu item for something, the user can still type the web address of that page into their browser and try to go straight there. So you must protect pages at their source.
But it’s annoying to a user to have a menu item that, when clicked, just tells them they can’t access that page. So we have to protect both menu items and pages.
Protecting Menus
Web2py defines the main navigational menu in models/menu.py. In here you’ll see things like:
response.menu = [(T('Home'), False, URL('default','index'), [])]
You can play with this to see how to add your own menu items. This file is loaded with every page, so you can put code in here that either adds or doesn’t add menu items based on the user’s status. For example, to display a menu item only when the user is logged in:
if auth.is_logged_in ():
response.menu += [(T('My Contests'), False, URL('member','contests'), [])]
See Chapter 8 in the Web2py book for more details on checking to see if a member has certain permissions. I’ll do a post on that when I get to that point.
Protecting Pages
Remember that a page is defined by a method in a controller. So we protect pages by telling Web2py that the page’s method should only be callable in certain circumstances. This is where we use the decorators from Chapter 8 in the Web2py book. For example:
@auth.requires_login()
def create():
&npsb;&npsb;&npsb;&npsb;# code for page goes here
This is an easy way to protect a page. Now, if a non-logged in user goes to that page, they’ll be given the login screen first. Again, I’ll do more on permission based protection when I get to that point in my own project.