Some of the information here may be outdated, please check the book instead

Let's say you have a model to store media files (images, movies, etc)


and you have Auth and Crud enabled via:

from import *

In order to allow login/logout, post media files and retrieve them, in the controller you have:

def post(): return dict(form=crud.create(db.album))
def download(): return,db)
def user(): return dict(form=auth())

How do make sure that only the user who posted a media file can download the file that he/she posted?

You can in two steps:

  • when the user posts a media file, give him permission to read it
  • when a user tries to download a media file, check if he has permission.

This is accomplished by the following complete controller:

def give_permission(form):
def check_permission(row):
    return auth.is_logged_in() and auth.has_permission('read',db.album,

def post(): return dict(form=crud.create(db.album,onaccept=give_permission))
def download(): return,db)
def user(): return dict(form=auth())

Notice that web2py by default streams all large files in upload and download and supports range requests for partial content. This means you can use the above code to upload and serve (with access control) not just images but also movies of arbitrary length.

The first argument 0 of auth.add_permission refers to the unique group of the current logged in user.

This example code works on the Google App Engine (GAE) with the size limitations imposed by GAE. In the GAE case uploaded media files are stored in Google Big Table.

© 2008-2010 by Massimo Di Pierro - All rights reserved - Powered by web2py - design derived from a theme by the earlybird
The content of this book is released under the Artistic License 2.0 - Modified content cannot be reproduced.