Hi,
If you're really worried about this, one slight modification is to
generate a signature for your page (with some expiration time built
in) and use that to make the call. Your controller can check whether
the call is indeed coming from your page API.
It is trivial to disassemble this logic, but it does provide a higher
barrier to entry. It is also useful to preventing XSS attacks.
regards
--
/A
On 20-Oct-08, at 7:46 PM, jerry wrote:
>
> With your current design, you can't.
>
> For my site, I do not have separate controllers/routes for AJAX,
> instead, different values are returned from a generic controller
> according to request type --
>
> class ElementController(BaseController):
> def get(self, id):
> populate_c(id)
> if request.is_xhr:
> return render('ajax_fragment_template')
> return render('full_page_template')
>
> Jerry
>
> On Oct 15, 10:26 am, "przemek.ch" <[EMAIL PROTECTED]> wrote:
>> Hi,
>>
>> I've build two select boxes. Onchange method on the first selectbox I
>> fill with ajax the second one using the selected value as a
>> parameter.
>> It works.
>>
>> function loadElements(groupID){
>> $("#secondSelectDiv").load("$
>> {h.url_for(controller='ajax',
>> action='getElements', id='')}"+groupID);
>>
>> }
>>
>> The problem is that an url is generated to my method.
>> for examplehttp://localhost:5000/ajax/getElements/1
>> And it can be called directly from the browser.
>>
>> How can I hide or block that.
>>
>> If I'll use from pylons.decorators.rest @restrict('POST') on the
>> method then it will also be blocked for the jquery load method.
>>
>> Any ideas?
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
