Holy cow, so helpful. The only thing I can add is that if you're doing a register form with a password, doing the SQLFORM factory will not give you the "verify password" field by default. And if you update, you'll need to filter the form vars. So this is what I'm doing:

form = SQLFORM.factory(db.auth_user
                       ,Field("verify_password", "password"
                            ,requires=IS_EXPR('value=={0}'.format(repr(request.vars.get('password', None)))
                                ,error_message="Password fields don't match"))
                       ,Field("captcha", widget=captcha_callable, default="ok"))

if form.process().accepted:

    db.auth_user.insert(**db.auth_user._filter_fields(form.vars))