[web2py] Re: Not authorized opening a url link with user_signature set

Tue, 24 Jan 2017 07:27:06 -0800 

On Tuesday, January 24, 2017 at 6:50:30 AM UTC-5, Ramos wrote:
>
> hello i send a link to another user to approve a document.
>
> like this....
>
>
> http://myapp.etc.etc/fileit/events/list?itemID=146&t=ficheiros&uuid=6ed5d053-a2ff-48d8-8bd9-18400a059de4&_signature=118c38a9845690d4acf628bc1b977ef1eca864fe
>
> if i send it to another user , that user gets a "not authorized" error 
> however if i send it to me as the approver i get the document to approve 
> and it works ok
>
> How can i solve this?
>
> the list function in controller events starts like this
>
> @auth.requires_signature()
> def list():
>

The @auth.requires_signature() decorator expects the URL signature to be 
generated using the hmac key that is generated for the logged in user at 
login time (this key is stored in the user's session). However, you are 
presumably generating the signature in a request related to your own 
session, not the session of the user in question, so the hmac key used to 
generate the signature is not the same as the hmac key of the user that 
ultimately clicks the link.

Instead, you must generate a signature based on some secret plus something 
unique to the user you are targeting, and then use the URL.verify() method 
to check that signature at authorization time. Something like this:

secret = '123abc' # Just an example -- the real secret should be longer and 
random.

def link_generating_action():
    targeted_user_id = some_id # Somehow get the id of the user you are 
targeting.
    url = URL('default', 'myaction', hmac_key='%s%s' % (secret, 
targeted_user_id))
    link = A('For your eyes only', _href=url)
    [do something with link]

@auth.requires(lambda: URL.verify(request, hmac_key='%s%s' % (secret, auth.
user.id))
def myaction():
    ...

For access to the above action, the user must be logged in, and the 
signature must match the one generated using a key that combines the secret 
plus the user's id.

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to