I simplified the controller to better understand the problem I'm seeing.
def test():
id = 2
query = (db.staffnotes.staffid == id)
fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment]
orderby = [~db.staffnotes.date,~db.staffnotes.modified_on]
grid = SQLFORM.grid(query=query,
details=False,csv=False,editable=False,deletable=False,create=False,searchable=True,
paginate=10,fields=fields,orderby=orderby,
args=[id],
)
return dict(grid=grid)
- When I call this routine with:
http://localhost:8000/myapp/default/test
- I receive the 'not authorized' flash and the grid doesn't display
- If I call it with:
http://localhost:8000/myapp/default/test/2
- the grid displays with no error.
(this appears to be because request.args(0) matchs args=[id] where id=2)
- If I call it with:
http://localhost:8000/myapp/default/test/garbage/view
- I receive the 'not authorized' flash and the grid doesn't display
- If I signoff and repeat the url
http://localhost:8000/myapp/default/test/garbage/view
- the grid displays with no error.
- I don't intend to pass phony urls to get past the error. I just listed
them to try to understand what I'm doing wrong.
- If I get rid of the args=[id] parameter on SQLFORM.grid call
the grid displays no matter what the url is, and whether or not I'm
logged in,
but I need the args=[id] because I use it with links.
Does this clarify anything?
On Monday, December 10, 2012 12:44:30 PM UTC-6, tomt wrote:
>
> Yes, I am logged in.
>
> On the initial call of the controller the grid is displayed without and
> error. When I select a new value from the dropdown form, a new query is
> used and passed to SQLFORM.grid, and this is when the 'not authorized'
> flash is generated.
>
>
> On Monday, December 10, 2012 9:21:29 AM UTC-6, Massimo Di Pierro wrote:
>
>> Are you logged in when you try accessing the grid? Do you get a not
>> authorized when trying to visualize the grid or when searching or when
>> visualizing a record?
>>
>> Massimo
>>
>> On Sunday, 9 December 2012 19:23:20 UTC-6, tomt wrote:
>>>
>>> Hi,
>>>
>>> Recent changes in trunk are causing my use of SQLFORM.grid to issue a
>>> 'not authorized' flash.
>>> It appears to be because of the following change in sqlhtml.py:
>>>
>>> - stable:
>>> # if not user_signature every action is accessible
>>> # else forbid access unless
>>> # - url is based url
>>> # - url has valid signature (vars are not signed, only path_info)
>>> # = url does not contain 'create','delete','edit' (readonly)
>>> if user_signature:
>>> if not(
>>> '/'.join(str(a) for a in args) == '/'.join(request.args)
>>> or
>>> URL.verify(request, user_signature=user_signature,
>>> hash_vars=False) or not (
>>> 'create' in request.args or
>>> 'delete' in request.args or
>>> 'edit' in request.args)):
>>> session.flash = T('not authorized')
>>> redirect(referrer)
>>> - trunk
>>> # if not user_signature every action is accessible
>>> # else forbid access unless
>>> # - url is based url
>>> # - url has valid signature (vars are not signed, only path_info)
>>> # = url does not contain 'create','delete','edit' (readonly)
>>> if user_signature:
>>> if not (
>>> '/'.join(str(a) for a in args) == '/'.join(request.args)
>>> or
>>> URL.verify(request,user_signature=user_signature,
>>> hash_vars=False) or
>>> (request.args(len(args))=='view' and not logged)):
>>> session.flash = T('not authorized')
>>> redirect(referrer)
>>>
>>> I normally call my routine with no parameter after having signed on
>>> and then I select a specific user from the dropdown list.
>>> With the latest trunk the selection is ignored and the flash 'not
>>> authorized'
>>> is generated. My controller doesn't call create, delete, or edit. It
>>> uses javascript to
>>> to select and pass on the staffid to the grid.
>>>
>>> Restoring this piece of code in sqlhtml.py to the previous version
>>> eliminates my problem.
>>> I'm not sure what change was meant to do differently. Perhaps it was a
>>> mistake, or it could be that I was using SQLFORM.grid incorrectly.
>>>
>>> ... my controller ....................................................
>>> def note_list():
>>> script = SCRIPT("""
>>> $('document').ready(function(){
>>> $('#mycombo').change(function(){
>>> $('#myform').submit();
>>> });
>>> });
>>> """)
>>>
>>> form = SQLFORM(db.staffnotes,fields=['staffid'])
>>> del form[0][1] # delete the submit_record__row from the form
>>> staffid = request.args(0)
>>> # Modify form elements for use by script
>>> form.attributes['_id'] = 'myform'
>>> form.element('select').attributes['_id'] = 'mycombo'
>>>
>>> # Build table of all notes if staffid isn't set
>>> if staffid:
>>> query = ((db.staffnotes.staffid == db.staff.id) &
>>> (db.staffnotes.staffid == staffid))
>>> else:
>>> query = ((db.staffnotes.staffid == db.staff.id))
>>>
>>> if form.accepts(request.vars,session,dbio=False):
>>> staffid = form.vars.staffid
>>> query = ((db.staffnotes.staffid == db.staff.id) &
>>> (db.staffnotes.staffid == staffid))
>>>
>>>
>>> fields=[db.staffnotes.staffid,db.staffnotes.date,db.staffnotes.comment]
>>> orderby = [~db.staffnotes.date,~db.staffnotes.modified_on]
>>> maxtextlengths = {
>>> 'staffnotes.staffid': 20,
>>> 'staffnotes.comment': 200,
>>> }
>>>
>>> links=[dict(header='Link',body=mybody )]
>>>
>>> if staffid:
>>> print "grid D: form.vars.staffid %s, staffid %s " %
>>> (form.vars.staffid,staffid)
>>> grid = SQLFORM.grid(query=query,
>>>
>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True,
>>>
>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths,
>>> args=[staffid],links=links,
>>> )
>>> else:
>>> print "grid E: form.vars.staffid %s, staffid %s " %
>>> (form.vars.staffid,staffid)
>>> grid = SQLFORM.grid(query=query,
>>>
>>> details=True,csv=False,editable=False,deletable=False,create=False,searchable=True,
>>>
>>> paginate=10,fields=fields,orderby=orderby,maxtextlengths=maxtextlengths,
>>> links=links,
>>> )
>>>
>>>
>>> response.title='Notes'
>>> print ""
>>> return dict(form=form, script=script, grid=grid)
>>> ......................................................................
>>>
>>> - any suggestions?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
--
