Jonathan,
How would you like to see this behave? Perhaps URL('index',args=[],
vars={}, hash_key='xxx', hash=['args','vars']) and then
URL.verify(hmac_key='xxx', hash=['args', 'vars]) so that you could
choose which portions of the URL to sign and/or verify with hash=None
triggering the original behavior of hashing both? Since this hasn't
made it into a stable release yet I assume changes can be made still
without worrying about breaking backwards compatibility.
~Brian
On Dec 3, 11:13 am, Jonathan Lundell <jlund...@pobox.com> wrote:
> On Dec 3, 2010, at 9:01 AM, mdipierro wrote:
>
>
>
> > New feature in trunk:
>
> > URL('index',args=[],vars={},hash_key='xxx')
>
> > the URL will have a _signature attached. The associated controller can
> > check for the signature with
>
> > def index():
> > if not URL.verify(hmac_key='xxx'): ......
> > ...
>
> > Please test it. In particular we need to test the workflow and see if
> > we are missing something useful or doing something wrong.
>
> Perhaps there should be an option to exclude the query string from the hash
> calculation. Otherwise we can't sign URLs that are form actions (or that are
> similarly used with Ajax).
