Although the download URL would be hard to guess, someone who obtained the
URL by some other means could still download the image. So, if you want to
be completely secure, you should authorize the download as well.
Anthony
On Tuesday, January 13, 2015 at 3:33:08 PM UTC-5, Mark Billion wrote:
>
> If I have a page controlled by a function that has access control, do I
> need to also validate the same at the download stage?
>
> For example (in pseudo-code):
>
> function x():
> 1. Check to see if Mark Billion is the authorized user or redirect to
> google.com
> 2. do something
> 3. return dict(image.file=image.file)
>
> The view has the following
> "{{=URL('download', args=image.file)}}"
>
>
> My thought is that you cannot access either function x or x.html without
> being verified as me, and I dont see how you could pass to download()
> directly, so there is no reason to add another layer of authentication in
> the download function. Thoughts?
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
