On Nov 12, 11:22 am, Pepe <[email protected]> wrote: > if request.env.http_x_forwarded_for or request.env.wsgi_url_scheme\ > in ['https', 'HTTPS']: > session.secure() > elif not remote_addr in hosts: > raise HTTP(200, T('Admin is disabled because insecure channel'))
Huh, what exactly is that code meant to do? Why would X-Forwarded-For being set to non empty value trigger the same action as if request came over HTTPS connection? Also no need to check for 'HTTPS' as the WSGI standard effectively says that wsgi.url_scheme can only really be 'http' or 'https'? For audit-ability, given this deals with secure access to admin interface, the code really should be very clear about what it is doing and that code isn't obvious. Graham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
