[web2py] Re: reloading a signed component from parent using JS

[Anthony]

>
> I'm trying to reload a signed component passing parameters to it.
> Everything works great until I @auth.requires_signature() in the component 
> action.
>
> The LOAD is:
>
> {{=LOAD('opportunity', 'listops.load', target='oplist', ajax=True, 
> user_signature=True)}}
>
> var url = jQuery('#oplist').get(0).dataset.w2p_remote +'&'+ params;
> web2py_component(url, 'oplist');
>
> How can I use auth.requires_signature() and still reload the component 
> with parameters?
>

By default, the signature is based on the full original URL, including the 
query string, so you cannot append additional items to the query string and 
still have the signature validate. There is an option both when generating 
the signature and when verifying it to ignore the query string (or include 
only specific variables from it), but unfortunately the LOAD() helper does 
not provide a way to take advantage of that option directly. However, I 
think you can generate your own URL for the LOAD() helper:

signed_url = URL('opportunity', 'listops.load', user_signature=True, 
hash_vars=False)
LOAD(url=signed_url, target='oplist', ajax=True)

Above, setting hash_vars=False excludes the query string variables from the 
hash generation. Note, this somewhat weakens the security of the signature, 
as a user will be able to request a URL with any query string. If the 
original URL does include some variables in the query string (i.e., not 
generated via Javascript in the browser), you can include only those 
variables in the hash via hash_vars=['list', 'of', 'variables']. In that 
case, only the values of those specific variables will be checked.

Then the Auth decorator should be:

@auth.requires_signature(hash_vars=False)

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.