Point taken. How about
Say you have a table
db.define_table('item',Field('name'),Field('check','boolean',default=False))
you can have two controllers like
def items():
rows=db(db.item.owner==auth.user_id).select()
return dict(rows=rows)
def check(): # this is a callback!
if not request.method='POST': return
record=db.item(request.args(0))
# optional check if auth.user is allowed to edit record
if record and record.checked==False:
record.update_record(check=True)
return 'on'
elif record and record.checked==True:
record.update_record(check=False)
return 'off'
return ''
and in the view default/items.html
<table>
{{for row in rows:}}
<tr>
<td>{{=row.name}}</td>
<td><a href="#" id="q{{=row.id}}"
onclick="ajax('{{=URL('check',args=row.id)}}',
[],'q{{=row.id}}');return false;">{{=row.checked and 'on' or 'off'}}</
a>
</td>
</tr>
{{pass}}
</table>
when you click on 'on' or 'off' it calls http://..../check/<id> and
the response will replace the 'on' or 'off'
On Oct 7, 10:53 pm, guruyaya <[email protected]> wrote:
> > No the check action never creates any record. it just allows you to
> > edit if you have access...
>
> OK, Imagine that.
> Say I have a "show my email to the world" boolean on my blog. Say I'm
> allowing pictures in my comments, for registered users. Now the
> attacker, puts this tag:
> <img src="http://www.mysite.com/profile/showemail/check"; />
> Then, leave a bot to scan for emails, every 2 minutes. All those that
> read this comment, have their "show email" status changed. This way,
> the attacker can get to emails, the user decided to hide.
> Am I missing something?
