Thanks Anthony. It took me a while to get this to work.
There were two things in my code that that made calling the LOAD return a
"Not Authorized"
1. {{('message' in globals())}} at the top of the calling html file. I had
to delete this.
2. LOAD(... ajax=False, user_signature=True) i.e. I have to have ajax=True
After correcting for these, your suggestion worked.
On Monday, March 7, 2016 at 1:47:40 PM UTC-8, Anthony wrote:
>
> You can use a digital signature:
> http://web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls
>
> When creating the component, do LOAD(..., user_signature=True). Then
> decorate your component actions with @auth.requires_signature().
>
> Anthony
>
> On Monday, March 7, 2016 at 3:58:25 PM UTC-5, Ben Lawrence wrote:
>>
>> Hi
>>
>> I just need a little advice here.
>>
>> There are logged in users on my website that are given permission to
>> access a particular html page. The page changes depending on the user
>> logged in. The controller decides on whether the user can access that page
>> or not.
>>
>> The html page calls LOADs. How do I properly secure these LOAD calls with
>> the same permission as the html parent? (Otherwise people can just put the
>> LOAD file address in the browser and see it.)
>>
>> Now, I am running the same database checks in the LOAD as in the html, so
>> there is duplication here. Should I use the http referrer
>> request.env.http_referer to check that the caller is correct or is there a
>> better way?
>>
>> Thanks for your time.
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
