Jonathan, How would you like to see this behave? Perhaps URL('index',args=[], vars={}, hash_key='xxx', hash=['args','vars']) and then URL.verify(hmac_key='xxx', hash=['args', 'vars]) so that you could choose which portions of the URL to sign and/or verify with hash=None triggering the original behavior of hashing both? Since this hasn't made it into a stable release yet I assume changes can be made still without worrying about breaking backwards compatibility.
~Brian On Dec 3, 11:13 am, Jonathan Lundell <jlund...@pobox.com> wrote: > On Dec 3, 2010, at 9:01 AM, mdipierro wrote: > > > > > New feature in trunk: > > > URL('index',args=[],vars={},hash_key='xxx') > > > the URL will have a _signature attached. The associated controller can > > check for the signature with > > > def index(): > > if not URL.verify(hmac_key='xxx'): ...... > > ... > > > Please test it. In particular we need to test the workflow and see if > > we are missing something useful or doing something wrong. > > Perhaps there should be an option to exclude the query string from the hash > calculation. Otherwise we can't sign URLs that are form actions (or that are > similarly used with Ajax).