Shouldn't we always return 403 is ajax? On Friday, 9 October 2015 12:22:52 UTC-5, DenesL wrote: > > Changing > if current.request.ajax: > raise HTTP(401, self.messages.ajax_failed_authentication) > > to > if current.request.ajax and current.request.cid: > raise HTTP(401, self.messages.ajax_failed_authentication) > > in gluon/tools/Auth class/requires function (line 3749 in release 2.12.03) > seems to solve the problem since it verifies it is a component before > raising a 401, else it follows the "otherwise" or > auth.settings.on_failed_authorization redirect (which I am using). > > Denes. > > > > > On Tuesday, October 6, 2015 at 1:50:04 PM UTC-4, DenesL wrote: >> >> Hi >> >> an expired session becomes empty but this does not seem to always trigger >> auth.requires_login redirection to the login URL neither when set via >> auth.requires_login(loginURL), aka the otherwise parameter, nor by >> auth.settings.on_failed_authorization = loginURL *when XMLHttpRequest >> (XHR) is used.* >> Actually the otherwise parameter is superfluous in this case. >> >> Status 401 UNAUTHORIZED with response >> <div class="not-authorized alert alert-block"><h4>NOT >> AUTHORIZED</h4>Please <a href="">login</a> to view this content.</div> >> but that is never seen since I am using www.idangero.us/framework7 , >> which loads all links with Ajax by default, does not refresh the page. >> >> So this probably happens because the call is being treated as a component >> by web2py. >> I can get around this by defining the links as external in framework7 but >> I wonder if it would not be better to have a way to tell web2py to redirect >> when the session has expired even when using Ajax calls. >> >> Thanks, >> Denes >> >>
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
