On Thursday, May 12, 2011 8:36:36 AM UTC-4, selecta wrote: > > > > On May 11, 7:07 pm, pbreit <[email protected]> wrote: > > Hmmm...I haven't seen that pattern. I always put the LOAD() in a view. > And > > decorate the calling controller. I don't see why or when you'd ever want > to > > protect an individual component. > because you cannot grantee that the component cannot be guessed > image somebody had access before, and now he is rejected access but > sill has a record of the component urls > i generally protect all components that are used in protected > controller function
Note, if a given function is *only* to be used as a component and you want to protect it from being accessed independently, you can decorate it with: @auth.requires(request <http://web2py.com/book/default/docstring/request>. cid) That will ensure it can only be accessed via a component ajax call (but won't require a separate login). Of course, some functions may serve as both a component (i.e., func.load) and a regular page (i.e., func.html) -- in that case, you would want @auth.requires_login() to protect the function. Anthony
