On Tue, 2007-09-25 at 18:58 +0000, voltron wrote: > I have 2 URLs: > > /profile > /save_profile > > "/profile" renders a form that has "/save_profile" as its action > attribute. Unfortunately, one could do this: > > www.mydomain.com/save_profile > > and it would be executed. Is there a way to make such urls not > callable to the outside world? Can such URLs be masked/hidden? I had > to add it in my routes configuration otherwise the form would not have > found it.
Are you trying to prevent CSRF attacks? If so, the only way is to include a secret in all your forms that corresponds to the user's cookie. Or are you just trying to not allow HTTP GET requests? If so, pass conditions=dict(method="POST") to your routing --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
