When using signed URLs, how do users get to that function (given that the
URL requires a signature)? How do you construct the URL?
When using @auth.requires_signature(), does sorting and searching the grid
work? Only edit fails?
Anthony
On Sunday, April 21, 2019 at 12:30:29 PM UTC-4, João Matos wrote:
>
> Here is the correct version (my previous post, which I deleted, was
> another version):
>
> #@auth.requires_signature()
> @auth.requires_login()
> def index():
> # type: () -> Dict[str, gluon.DIV]
> """Index page.
>
> :return: Dict with grid.
> """
> if session.return_to:
> del session.return_to
>
> session.table = 'opt_cat'
>
> # Hidden fields in grid and edit/view form.
> db.opt_cat.id.readable = False
>
> db.opt_cat.one_opt_only.show_if = db.opt_cat.mandatory == False
>
> if SUPERVISOR_ROLE_ID in auth.user_groups:
> # Uses covering index opt_cat_is_active_name_en.
> # Uses auto index sqlite_autoindex_opt_cat_1.
> grid = SQLFORM.grid(
> db.opt_cat,
> csv=False,
> details=False,
> # Disable delete checkbox in edit form.
> editargs=dict(deletable=False),
> maxtextlength=GRID_COL_LEN_FOR_TEXT,
> ondelete=on_delete, # Grid only.
> onvalidation=on_validation, # And onupdate are form only.
> orderby=db.opt_cat.name,
> paginate=session.auth.user.pagination,
> # represent_none='', # Grid and view form only.
> ) # type: gluon.DIV
> else:
> # Hidden fields in grid and edit/view form.
> db.opt_cat.canceled_on.readable = False
> db.opt_cat.canceled_by.readable = False
> db.opt_cat.cancel_approved_by.readable = False
>
> # Uses covering index opt_cat_is_active_name_en (is_active=?).
> # Uses index opt_cat_is_active_name (is_active=?).
> grid = SQLFORM.grid(
> db.opt_cat.is_active == True,
> create=False,
> csv=False,
> deletable=False,
> details=False,
> editable=False,
> maxtextlength=GRID_COL_LEN_FOR_TEXT,
> orderby=db.opt_cat.name,
> paginate=session.auth.user.pagination,
> # represent_none='', # Grid and view form only.
> )
>
> # Remove icons from default buttons.
> grid.elements('span.icon', replace=None)
>
> if request.args:
> # Remove delete button.
> grid.element('#delete_with_approval', replace=None)
>
> if not request.args:
> # Sort grid's search fields list.
> grid.element('#w2p_query_fields').components =
> sort_grid_search_fields_list(grid)
>
> if session.opt_cat_modified_on:
> del session.opt_cat_modified_on
> elif 'edit' in request.args:
> # Edit uses opt_cat Pk.
>
> form = grid.update_form # type: gluon.sqlhtml.SQLFORM
> # form['hidden'].update(mon=form.record.modified_on)
> # Solves the record changed while editing, but doesn't solve it
> # if the user 1st tries something that returns form.errors (eg.
> # changing a unique field to something that already exists) and
> # only after that he tries to save the record (which was changed
> # by another user). For this the only solution I've found was
> # using a session var.
>
> if not session.opt_cat_modified_on:
> session.opt_cat_modified_on = form.record.modified_on
>
> if not form.record.is_active and not SUPERVISOR_ROLE_ID in auth.
> user_groups:
> session.flash = T('Record was deleted while you were viewing
> the grid.')
> redirect(URL(user_signature=True))
>
> return dict(grid=grid)
>
>
>
>
> domingo, 21 de Abril de 2019 às 17:22:44 UTC+1, Anthony escreveu:
>>
>> On Sunday, April 21, 2019 at 10:53:08 AM UTC-4, João Matos wrote:
>>>
>>> I wanted to have signed URL everywhere.
>>> For that, I added user_signature=True to all my URL(). The grid has that
>>> as a default.
>>> At this point everything worked with @requires_login() except one
>>> special case (I believe this special case may be related to the same issue
>>> I'm facing with this I describe here).
>>>
>>> Then I added a var called sid (for session id) to every URL() which I
>>> use to identify the session (this way I'm able to distinguish ebetween 2
>>> browser tabs).
>>> At this point everything worked with @requires_login() except the
>>> special case I mentioned above.
>>>
>>> Then I replaced @auth.requires_login() with @auth.requires_signature()
>>> and I'm able to access the grid but not the edit form. I receive a Not
>>> Authorized message.
>>>
>>> In all these tests I'm logged in.
>>>
>>> If I remove the sid var and keep the @auth.requires_signature()
>>> everything works.
>>>
>>> If I replace [email protected]_signature() with @auth.requires_login()
>>> and keep the sid var everything works.
>>>
>>> Only the combination of both doesn't work.
>>>
>>
>> Need to see the code.
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
