The generic views can result in a security vulnerability because they expose all data returned by the controller. For this reason, they are disabled by default. You should only enable specific generic views in specific cases when you have verified that you are not over-exposing any data.
For example, suppose you have written a custom html view and have returned rows from the db.auth_user table to the view in order to list some names. If you have all generic views enabled, someone could visit the URL with a .json or .xml extension, which will trigger the use of a generic view, which will then expose all fields in the db.auth_user data rather then just the names you included in the html view. Anyway, I think all the places in the documentation that mention the generic views include a note explaining that they are disabled by default except on localhost. Anthony On Sunday, July 19, 2015 at 11:10:20 AM UTC-4, [email protected] wrote: > > I make new app and some controller in it without any view - only > generic.html > > than I try open url to that coontroller from public - error rised "Not > found" > > so I need to search WHY? > one day I lose for solve "WHY?" > > may be open access to generic.html by default? > > вторник, 14 июля 2015 г., 21:01:21 UTC+3 пользователь Dave S написал: >> >> >> >> On Tuesday, July 14, 2015 at 9:41:29 AM UTC-7, [email protected] >> wrote: >>> >>> I make simple app and upload it to server >>> then all external request raise "Not Found" :( >>> >>> I kill a day for solve it problem >>> >>> Please edit in menu.py code: >>> ####response.generic_patterns = ['*'] if request.is_local else [] >>> #IS_LOCAL = request.is_local >>> response.generic_patterns = not IS_LOCAL and (request.aplication == >>> 'admin' or request.controller == 'appadmin') and [] or ['*'] >>> >>> >> >> Isn't that a security feature? Generic views are restricted to local use >> for debuging (they expose a lot of stuff the user doesn't need). The admin >> functions are also restricted to local or https, to limit the number of >> people trying to crack the password. >> >> Did you implement a specific view for your controller functions? >> >> /dps >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
