Thank you Anthony. I think i can solve it with your snippet...
2017-01-24 15:26 GMT+00:00 Anthony <[email protected]>: > On Tuesday, January 24, 2017 at 6:50:30 AM UTC-5, Ramos wrote: >> >> hello i send a link to another user to approve a document. >> >> like this.... >> >> http://myapp.etc.etc/fileit/events/list?itemID=146&t=ficheir >> os&uuid=6ed5d053-a2ff-48d8-8bd9-18400a059de4&_signature=1 >> 18c38a9845690d4acf628bc1b977ef1eca864fe >> >> if i send it to another user , that user gets a "not authorized" error >> however if i send it to me as the approver i get the document to approve >> and it works ok >> >> How can i solve this? >> >> the list function in controller events starts like this >> >> @auth.requires_signature() >> def list(): >> > > The @auth.requires_signature() decorator expects the URL signature to be > generated using the hmac key that is generated for the logged in user at > login time (this key is stored in the user's session). However, you are > presumably generating the signature in a request related to your own > session, not the session of the user in question, so the hmac key used to > generate the signature is not the same as the hmac key of the user that > ultimately clicks the link. > > Instead, you must generate a signature based on some secret plus something > unique to the user you are targeting, and then use the URL.verify() method > to check that signature at authorization time. Something like this: > > secret = '123abc' # Just an example -- the real secret should be longer > and random. > > def link_generating_action(): > targeted_user_id = some_id # Somehow get the id of the user you are > targeting. > url = URL('default', 'myaction', hmac_key='%s%s' % (secret, > targeted_user_id)) > link = A('For your eyes only', _href=url) > [do something with link] > > @auth.requires(lambda: URL.verify(request, hmac_key='%s%s' % (secret, auth > .user.id)) > def myaction(): > ... > > For access to the above action, the user must be logged in, and the > signature must match the one generated using a key that combines the secret > plus the user's id. > > Anthony > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
