This is like the channel API in the app engine. Hope that rocket can support long pool in the future.
On 22 May 2011 08:47, Massimo Di Pierro <[email protected]> wrote: > There is something new and potentially very important for web2py. > Example: > > @auth.requires_login() > def index(): > link = A('click me',_href=URL('callback',user_signature=True)) > return dict(link=link) > > @auth.requires_signature() # NEW!! > def callback(): > return dict(hello='hello world') > > explanation: > > URL(..., user_signature=True) signs the URL using a hmac key that is > private of the user. > @auth.requires_signature() forces the following function to check for > signature. Nobody can call the function but the user that got the link > in the first place. The link is only valid for that user as long as > the user is logged in. If the user logout (even if he/she logs in > again) the link is no longer valid. > > You can also use it with {{=LOAD(...,user_signature=True)}}. > > This makes very easy to secure ajax calls and many parts of the code. > Basically if you display a link to a user and the link points to a > decorated function, the user has access (for the duration of the > session only). Nobody else has access. > > Comments suggestions for improvement? > Let me know if you try it and if you like it. > > jqgid in plugin_wiki has a vulnerability that is fixed by this > mechanism. The fixed plugin_wiki can be found in > http://code.google.com/p/cube2py/. > It will be posted again with the new web2py stable. > > Ideally I would like to use a generalization of this for federated > access control. Now completely sure how yet. > > > Massimo > > >
