[web2py] Re: SQLFORM.grid export and user_signature issue

Fri, 13 Nov 2015 07:51:12 -0800 

The problem is that the grid does not include the query string when hashing 
the URL to create the signature, but by default, @auth.requires_signature 
expects the query string to be included when hashing. As a result, the 
signature generated by the grid for the export download has the wrong 
signature (because the export links include a query string). To avoid the 
problem, you can tell @auth.requires_signature to ignore the query string:

@auth.requires_signature(hash_vars=False)

Anthony

On Friday, November 13, 2015 at 2:47:36 AM UTC-5, Carlos Kitu wrote:
>
> There seems to be an issue with export (any class of export: csv, tsv, 
> ...) in SQLFORM.grid when using user_signature and the corresponding 
> decorator.
> Pressing any export button in that context generates a:
>
> Not authorized. Insufficient privileges - Error
>
> Here is a minimal example of the code:
>
> *db_00.py*
> db.define_table('table01',
>     Field('field01', 'string', length=50, notnull=True, unique=False, 
> label='field01', comment='field01'))
>
>
>
> *default.py*
> def first():
>     redirect(URL('second', user_signature=True))
>
>
> @auth.requires_signature()
> @auth.requires_login()
> def second():
>     grid=SQLFORM.grid(db.table01, 
>                       csv=True,
>                       user_signature=True)
>     return grid
>
>
>
> Once logged in, I'm calling default/first, just to get a signed url to 
> default/second, where the grid is shown. Then I press the export button, 
> getting the aforementioned error.
>
> Removing the @auth.requires_signature() decorator makes everything work 
> fine.
>
> Web2py version used:
> 2.12.3-stable+timestamp.2015.08.19.00.18.03
> (Ejecutando en Rocket 1.2.6, Python 2.7.6)
>
> Any help will be greatly appreciated.
> Best regards.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to