| | 133 | Permission checking is always a two-step process: |
| | 134 | |
| | 135 | 1. Check permission to access the controller/function |
| | 136 | 2. Check permission to access the database table |
| | 137 | |
| | 138 | The first step is done at a central point, in {{{00_utils.py}}} before the models are loaded. If the ACLs, as defined for the current user, do not specify any permission for the target controller/function, then the request gets rejected before any models are loaded or the controller is entered. |
| | 139 | |
| | 140 | The second step has to be implemented in the respective controller functions. This can be done in two ways: |
| | 141 | |
| | 142 | - the controller uses s3_rest_controller() with S3CRUD, or, |
| | 143 | - the controller uses auth.s3_has_permission() and/or auth.s3_accessible_query() to check permissions before exposing any data to the user |
| | 144 | |
