I have a page which has a form which includes an autocomplete widget.
There is a function within a controller to manage that page; this is the
function that autocomplete widget uses. It is not an "autocomplete
function", although it is being used ("magically", according to the
documentation) for the autocomplete functionality. In fact, I do not
understand (and can find no reference to) an "autocomplete function" in the
documentation; the function called is the one used to generate the page
that the autocomplete widget is on.
I *do* pass other vars to this function, and did not say otherwise: when
called for the autocomplete, the only var is that for the autocomplete, and
*I* never use that var (but do use others). Nor did I say this page does
not change state, because in fact it does (this widget is used in a form).
To be more concrete:
#@auth.requires_signature()
def edit_entry():
...
flds = []
...
flds.append( Field( "handlerForAll", 'reference t_member',
widget = SQLFORM.widgets.autocomplete( request, db.t_member.f_Lookup,
id_field=db.t_member.id, limitby=(0,10), min_length=2, keyword=
"_autocomplete_forall" ) ) )
...
form = SQLFORM.factory( *flds, formstyle="divs", submit_button="Update
Entry" )
if form.process(keepvalues=True,onvalidation=checkEntryEdit).accepted:
On Tuesday, June 23, 2015 at 11:48:24 AM UTC-4, Massimo Di Pierro wrote:
>
> I guess the point here is why are you using requires_signature? Normally
> you do to make sure that only the intended party can access the intended
> controller function. In your case it is an autocomplete function. That
> means 1) you do not what the vars is, 2) it is not dangerous since it does
> not change the state, 3) as you say you do not pass any other vars
> therefore every user accesses the same set of possible autocomplete values.
>
> Then you should not use @auth.requires_signature. You should use
> @auth.requires_login() instead, simply to prevent DoS attacks.
>
> That said you can can do URL(..., user_signature=True, hash_vars = False)
> along with @auth.requires_signature(hash_vars=False)
>
> so you hash the signature but not vars which would be added later by the
> autocomplete JS.
> hash_vars can also be a list of variable names to be hashed.
>
>
>
>
>
> On Monday, 22 June 2015 09:25:07 UTC-5, Scott Hunter wrote:
>>
>> I don't see how to use this information to solve the problem. Does any
>> URL that points to this page need to specify what vars go into the
>> signature, and what vars should be listed? Since the autocomplete only
>> includes its own special var, and nothing else does, it seems that I'd need
>> to exclude all vars.
>>
>> This doesn't seem like that outlandish a situation; is there
>> documentation about how to handle it?
>>
>> - Scott
>>
>> On Monday, June 22, 2015 at 2:48:56 AM UTC-4, Massimo Di Pierro wrote:
>>>
>>> Looks at the options of URL and requires_signature. You can specify
>>> which vars should be included in the signature. You cannot sign the
>>> autocomplete field because that is generated by JS after web2py has already
>>> computed the signature.
>>>
>>> On Friday, 19 June 2015 15:31:58 UTC-5, Scott Hunter wrote:
>>>>
>>>> Autocomplete widgets do not appear to work within controller functions
>>>> that require a digital signature (at least not for me).
>>>>
>>>> Is this a bug, a feature, or a mistake on my part?
>>>>
>>>> - Scott
>>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
