Is there a secure way to implement record level permissions on Thingy. I want a user to only see records meant for them. In my mind the association of the username with the record and then doing templates that will make him only see his searched records is not safe since any other registered user that can play HTML can see the other user's records if they know their usernames.

Ehab Heikal

Web Development and design in Egypt, Arabic Portal with news chat and Videos using WebGUI

www.elmotaheda.com

Quote: An eye for an Eye only helps make the whole world blind

Gandhi

--- (Edited on 11/30/2011 10:03 am [GMT-0600] by ehab) ---

If I recall correctly, the Thingy has a permissions setting called "Owner", where only the person who creates a record can view it or edit it.  So if your users are creating the content in the Thingy that would work.  If that isn't the case, you could become that user, and then create the rows in the Thingy.

However, from an Admin point of view, there's no way to assign individual permissions to content.  If you have to go that route, you can always create multiple Things in the Thingy, each with their own group to view permissions.

--- (Edited on 11/30/2011 8:31 am [GMT-0800] by perlDreamer) ---