with a .load component, it wouldn't be more cleaner and reusable?
2010/10/8 Thadeus Burgess <[email protected]>: > How about this... > > It allows to use it in any normal form, you still have to press the > submit button, but it means no security issues. It also downgrades > gracefully if the client does not have javascript > > $(document).ready(function() { > > $('.boolean').each(function() { > var on_off; > if($(this).val()) { > on_off = 'on'; > }else{ > on_off = 'off'; > } > > var tpl = '<img src="/images/'+on_off+'.png" class="toggle_btn"'; > tpl += ' chk_id="' + $(this).attr("id") + '" />'; > > $(this).insertAfter(tpl); > $(this).hide(); > }); > > $('.toggle_btn').bind('click', function() { > var chk = $(this).attr("chk_id"); > var itm = $("#"+chk); > if(itm.val()){ > itm.val(false); > $(this).attr("src", "/images/off.png"); > }else{ > itm.val(true); > $(this).attr("src", "/images/on.png"); > } > }); > }); > > > -- > Thadeus > > > > > > On Thu, Oct 7, 2010 at 11:09 PM, mdipierro <[email protected]> wrote: >> Point taken. How about >> >> Say you have a table >> >> db.define_table('item',Field('name'),Field('check','boolean',default=False)) >> >> you can have two controllers like >> >> def items(): >> rows=db(db.item.owner==auth.user_id).select() >> return dict(rows=rows) >> >> def check(): # this is a callback! >> if not request.method='POST': return >> record=db.item(request.args(0)) >> # optional check if auth.user is allowed to edit record >> if record and record.checked==False: >> record.update_record(check=True) >> return 'on' >> elif record and record.checked==True: >> record.update_record(check=False) >> return 'off' >> return '' >> >> and in the view default/items.html >> >> <table> >> {{for row in rows:}} >> <tr> >> <td>{{=row.name}}</td> >> <td><a href="#" id="q{{=row.id}}" >> onclick="ajax('{{=URL('check',args=row.id)}}', >> [],'q{{=row.id}}');return false;">{{=row.checked and 'on' or 'off'}}</ >> a> >> </td> >> </tr> >> {{pass}} >> </table> >> >> when you click on 'on' or 'off' it calls http://..../check/<id> and >> the response will replace the 'on' or 'off' >> >> On Oct 7, 10:53 pm, guruyaya <[email protected]> wrote: >>> > No the check action never creates any record. it just allows you to >>> > edit if you have access... >>> >>> OK, Imagine that. >>> Say I have a "show my email to the world" boolean on my blog. Say I'm >>> allowing pictures in my comments, for registered users. Now the >>> attacker, puts this tag: >>> <img src="http://www.mysite.com/profile/showemail/check"; /> >>> Then, leave a bot to scan for emails, every 2 minutes. All those that >>> read this comment, have their "show email" status changed. This way, >>> the attacker can get to emails, the user decided to hide. >>> Am I missing something? >> >
