Much "more simply". :) I had skipped right past the ability to ignore the vars when using URL.verify vs. auth.requires_signature. Should've read the docs more closely.
Summary: If @auth.requires_signature is giving you problems due to vars changing on modified views, use URL.verify inside the function. On Thursday, May 30, 2013 9:04:52 PM UTC-4, Anthony wrote: > > Or more simply: > > def other(): > if not URL.verify(request, user_signature=True, hash_vars=False): > redirect(...) > return dict(grid=SQLFORM.grid(...)) > > Anthony > > On Thursday, May 30, 2013 6:44:59 PM UTC-4, Wes Hall wrote: >> >> I need to verify that the right person can get to the grid, but once that >> is established, let the grid handle verification. >> >> Something along the lines of this would be the best action? >> >> def other(): >> >> # If there are vars, assume grid is supplying and let it check the key >> if len(request.vars) >= 1: >> pass >> >> # If no vars, see if this link is valid >> elif URL.verify(): >> pass >> >> # Neither condition is True, must be invalid, redirect >> else: >> redirect >> >> return SQLFORM.grid() >> >> On Thursday, May 30, 2013 8:57:34 AM UTC-4, Anthony wrote: >>> >>> The grid does it's own URL signature verification, so you should not use >>> the @auth.requires_signature decorator. I believe the difference is that >>> @auth.requires_signature expects the URL vars to be included in the hash, >>> but the grid excludes the vars. If you need to separately verify the >>> signature to prevent any access to the function at all, you can directly >>> call the URL.verify() function within the other() function. >>> >>> Anthony >>> >>> On Thursday, May 30, 2013 2:12:31 AM UTC-4, Wes Hall wrote: >>>> >>>> Using MDP's example from here: >>>> https://groups.google.com/d/msg/web2py/VBrm6B6-Pdk/sG_h9Ane8zQJ and >>>> the manual's suggestion for digitally signed urls: >>>> >>>> @auth.requires_membership('admin'): >>>> def index() >>>> link = URL('other',user_signature=True) #1 >>>> return dict(link=link) >>>> >>>> @auth.requires_signature() #2 >>>> def other(): >>>> return dict(message='hello world') >>>> >>>> I have added a SQLFORM.grid in other(). Everything works fine except >>>> for the pagination links. The requires_signature decorator for other() >>>> won't accept the signed URL from the grid, and the user is redirected to >>>> the access denied/not authorized page. >>>> >>>> Link from index(): >>>> ...other/29?_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>> page2 link from other() >>>> grid: >>>> ...other/29?page=2&_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>> >>>> I tried removing the requires_signature() decorator, and the pagination >>>> works correctly. It appears as though both URL(user_signature=True) and >>>> SQLFORM.grid(user_signature=True) hash the signature the same, but >>>> @auth.requires_signature and SQLFORM.grid verify the signatures >>>> differently. >>>> >>>> If that is a fair or accurate statement, how should I work around this? >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
