Note, you can use a digitally signed URL for this purpose:
http://web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls
On Tuesday, January 13, 2015 at 5:40:53 PM UTC-5, Anthony wrote:
>
> Although the download URL would be hard to guess, someone who obtained the
> URL by some other means could still download the image. So, if you want to
> be completely secure, you should authorize the download as well.
>
> Anthony
>
> On Tuesday, January 13, 2015 at 3:33:08 PM UTC-5, Mark Billion wrote:
>>
>> If I have a page controlled by a function that has access control, do I
>> need to also validate the same at the download stage?
>>
>> For example (in pseudo-code):
>>
>> function x():
>> 1. Check to see if Mark Billion is the authorized user or redirect to
>> google.com
>> 2. do something
>> 3. return dict(image.file=image.file)
>>
>> The view has the following
>> "{{=URL('download', args=image.file)}}"
>>
>>
>> My thought is that you cannot access either function x or x.html without
>> being verified as me, and I dont see how you could pass to download()
>> directly, so there is no reason to add another layer of authentication in
>> the download function. Thoughts?
>>
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
