On Monday, June 4, 2018 at 5:16:33 PM UTC+1, Anthony wrote:
>
> I'm trying to reload a signed component passing parameters to it.
>> Everything works great until I @auth.requires_signature() in the
>> component action.
>>
>> The LOAD is:
>>
>> {{=LOAD('opportunity', 'listops.load', target='oplist', ajax=True,
>> user_signature=True)}}
>>
>> var url = jQuery('#oplist').get(0).dataset.w2p_remote +'&'+ params;
>> web2py_component(url, 'oplist');
>>
>> How can I use auth.requires_signature() and still reload the component
>> with parameters?
>>
>
> By default, the signature is based on the full original URL, including the
> query string, so you cannot append additional items to the query string and
> still have the signature validate. There is an option both when generating
> the signature and when verifying it to ignore the query string (or include
> only specific variables from it), but unfortunately the LOAD() helper does
> not provide a way to take advantage of that option directly. However, I
> think you can generate your own URL for the LOAD() helper:
>
> signed_url = URL('opportunity', 'listops.load', user_signature=True,
> hash_vars=False)
> LOAD(url=signed_url, target='oplist', ajax=True)
>
> Above, setting hash_vars=False excludes the query string variables from
> the hash generation. Note, this somewhat weakens the security of the
> signature, as a user will be able to request a URL with any query string.
> If the original URL does include some variables in the query string (i.e.,
> not generated via Javascript in the browser), you can include only those
> variables in the hash via hash_vars=['list', 'of', 'variables']. In that
> case, only the values of those specific variables will be checked.
>
> The Auth decorator should be:
>
> @auth.requires_signature(hash_vars=False)
>
> hash_vars should match the value used when generating the URL (i.e., False
> or a list of specific variables).
>
> Anthony
>
Thank you for the very informative and to the point answer!
The book is also helpful, in a more general way, at
http://www.web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls
(inspite of being referenced from the Components and plugins chapter I
confess I did miss it ;)
Umbromancer
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
