On Fri, Jun 26, 2009 at 10:23 AM, Matt Feifarek<[email protected]> wrote: > On Wed, Jun 24, 2009 at 11:08 AM, afrotypa <[email protected]> wrote: >> >> @restrict('POST') >> @validate(schema=TestSchema(), form='edit', post_only=False, >> on_get=True) >> def save(self, id=None): >> > > I'm not following your full question, but right-off, I see a contradiction > up there: > If you restrict that action to only POST, then give on_get=True to validate, > you'll never do a GET on save... maybe this is what you want? As you might > expect, you can use @validate to already discriminate by HTTP method > (post_only). At best, this is redundant. At worst, it might not be behaving > as you had hoped.
The 'post_only' and 'on_get' arguments are two of the other problems with @validate. They seem intended to address a security situation which is not fully described in the documentation (to prevent people from adding query parameters that override form values, which may or may not be worth worrying about), but simultaneously introduces a bigger security hole (GET requests are not validated at all -- why would you ever want that? Maybe if you're doing form display and form validation in the same method, but the standard Pylons pattern does not.) -- Mike Orr <[email protected]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
