Perhaps we should just allow: @auth.requires_signature(hash_vars=False)
Anthony On Thursday, May 30, 2013 9:27:45 PM UTC-4, Wes Hall wrote: > > Much "more simply". :) > > I had skipped right past the ability to ignore the vars when using > URL.verify vs. auth.requires_signature. Should've read the docs more > closely. > > Summary: If @auth.requires_signature is giving you problems due to vars > changing on modified views, use URL.verify inside the function. > > On Thursday, May 30, 2013 9:04:52 PM UTC-4, Anthony wrote: >> >> Or more simply: >> >> def other(): >> if not URL.verify(request, user_signature=True, hash_vars=False): >> redirect(...) >> return dict(grid=SQLFORM.grid(...)) >> >> Anthony >> >> On Thursday, May 30, 2013 6:44:59 PM UTC-4, Wes Hall wrote: >>> >>> I need to verify that the right person can get to the grid, but once >>> that is established, let the grid handle verification. >>> >>> Something along the lines of this would be the best action? >>> >>> def other(): >>> >>> # If there are vars, assume grid is supplying and let it check the >>> key >>> if len(request.vars) >= 1: >>> pass >>> >>> # If no vars, see if this link is valid >>> elif URL.verify(): >>> pass >>> >>> # Neither condition is True, must be invalid, redirect >>> else: >>> redirect >>> >>> return SQLFORM.grid() >>> >>> On Thursday, May 30, 2013 8:57:34 AM UTC-4, Anthony wrote: >>>> >>>> The grid does it's own URL signature verification, so you should not >>>> use the @auth.requires_signature decorator. I believe the difference is >>>> that @auth.requires_signature expects the URL vars to be included in the >>>> hash, but the grid excludes the vars. If you need to separately verify the >>>> signature to prevent any access to the function at all, you can directly >>>> call the URL.verify() function within the other() function. >>>> >>>> Anthony >>>> >>>> On Thursday, May 30, 2013 2:12:31 AM UTC-4, Wes Hall wrote: >>>>> >>>>> Using MDP's example from here: >>>>> https://groups.google.com/d/msg/web2py/VBrm6B6-Pdk/sG_h9Ane8zQJ and >>>>> the manual's suggestion for digitally signed urls: >>>>> >>>>> @auth.requires_membership('admin'): >>>>> def index() >>>>> link = URL('other',user_signature=True) #1 >>>>> return dict(link=link) >>>>> >>>>> @auth.requires_signature() #2 >>>>> def other(): >>>>> return dict(message='hello world') >>>>> >>>>> I have added a SQLFORM.grid in other(). Everything works fine except >>>>> for the pagination links. The requires_signature decorator for other() >>>>> won't accept the signed URL from the grid, and the user is redirected to >>>>> the access denied/not authorized page. >>>>> >>>>> Link from index(): >>>>> ...other/29?_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>>> page2 link from other() >>>>> grid: >>>>> ...other/29?page=2&_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>>> >>>>> I tried removing the requires_signature() decorator, and the >>>>> pagination works correctly. It appears as though both >>>>> URL(user_signature=True) and SQLFORM.grid(user_signature=True) hash the >>>>> signature the same, but @auth.requires_signature and SQLFORM.grid verify >>>>> the signatures differently. >>>>> >>>>> If that is a fair or accurate statement, how should I work around this? >>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
