How about this...
It allows to use it in any normal form, you still have to press the
submit button, but it means no security issues. It also downgrades
gracefully if the client does not have javascript
$(document).ready(function() {
$('.boolean').each(function() {
var on_off;
if($(this).val()) {
on_off = 'on';
}else{
on_off = 'off';
}
var tpl = '<img src="/images/'+on_off+'.png" class="toggle_btn"';
tpl += ' chk_id="' + $(this).attr("id") + '" />';
$(this).insertAfter(tpl);
$(this).hide();
});
$('.toggle_btn').bind('click', function() {
var chk = $(this).attr("chk_id");
var itm = $("#"+chk);
if(itm.val()){
itm.val(false);
$(this).attr("src", "/images/off.png");
}else{
itm.val(true);
$(this).attr("src", "/images/on.png");
}
});
});
--
Thadeus
On Thu, Oct 7, 2010 at 11:09 PM, mdipierro <[email protected]> wrote:
> Point taken. How about
>
> Say you have a table
>
> db.define_table('item',Field('name'),Field('check','boolean',default=False))
>
> you can have two controllers like
>
> def items():
> rows=db(db.item.owner==auth.user_id).select()
> return dict(rows=rows)
>
> def check(): # this is a callback!
> if not request.method='POST': return
> record=db.item(request.args(0))
> # optional check if auth.user is allowed to edit record
> if record and record.checked==False:
> record.update_record(check=True)
> return 'on'
> elif record and record.checked==True:
> record.update_record(check=False)
> return 'off'
> return ''
>
> and in the view default/items.html
>
> <table>
> {{for row in rows:}}
> <tr>
> <td>{{=row.name}}</td>
> <td><a href="#" id="q{{=row.id}}"
> onclick="ajax('{{=URL('check',args=row.id)}}',
> [],'q{{=row.id}}');return false;">{{=row.checked and 'on' or 'off'}}</
> a>
> </td>
> </tr>
> {{pass}}
> </table>
>
> when you click on 'on' or 'off' it calls http://..../check/<id> and
> the response will replace the 'on' or 'off'
>
> On Oct 7, 10:53 pm, guruyaya <[email protected]> wrote:
>> > No the check action never creates any record. it just allows you to
>> > edit if you have access...
>>
>> OK, Imagine that.
>> Say I have a "show my email to the world" boolean on my blog. Say I'm
>> allowing pictures in my comments, for registered users. Now the
>> attacker, puts this tag:
>> <img src="http://www.mysite.com/profile/showemail/check"; />
>> Then, leave a bot to scan for emails, every 2 minutes. All those that
>> read this comment, have their "show email" status changed. This way,
>> the attacker can get to emails, the user decided to hide.
>> Am I missing something?
>
