On Friday, May 13, 2011 7:37:29 PM UTC-4, pbreit wrote: > > This isn't fool-proof, though, right? Since anyone could add a "cid" arg to > the URL?
You're right, I don't think checking for request.cid is fool-proof, but it's not as easy as adding a "cid" argument to the URL (it checks for the existence of request.cid, not whether "cid" is in request.args). It appears that request.cid is filled in if there is a 'web2py-component-element' header in the incoming HTTP request (which would be put there by the 'web2py_ajax_page' function in web2py_ajax.html) -- so I think someone would have to hack the HTTP header before sending the request in order to defeat the @auth.requires(request.cid) check. I suppose requiring login is probably safest. Maybe I'm missing something, though. Anthony
