This could be a default feature.... Let me give it some thought..
On Oct 24, 2:48 pm, Brian M <[email protected]> wrote: > How about include all the calculated values in your form and add in an > additional field that's a HMAC keyed hash of the others using a key > that only you know? When the user submits, make sure the rest of the > field values still combine & hash the same way and then you'll know > the user hasn't messed with the form. For that matter you could > probably safely just put it all in the URL's query string since if the > user messes with any part of it you'll know. > > http://docs.python.org/library/hmac.html > > You may even just be able to use web2py's CRYPT() validator. > > On Oct 24, 1:41 pm, cjrh <[email protected]> wrote: > > > On Oct 24, 5:03 pm, Branko Vukelic <[email protected]> wrote: > > > > * Calculated values are shown, and a form with hidden fields and a > > > submit button labeled 'Confirm' is shown > > > The hidden fields still show in the page source though. A smart user > > could submit his own set of data if he can see what field id's are > > being expected. That's what I want to avoid. There must be no way a > > user can change the charge amount at any stage of the process. > > > I had another idea a short while ago: I'll cache charge amount for all > > the rows (in the server-side session object), and send through (as > > form post data) the identity of the selected row. That way, the next > > controller function will be able to retrieve the appropriate > > calculation result for the selected row, and the user will have no way > > to edit the calculation amount. > > > What do you think? > >
