long poll is not a good idea without aync and wsgi is not designed for async.
On May 21, 10:41 pm, BearXu <[email protected]> wrote: > This is like the channel API in the app engine. > Hope that rocket can support long pool in the future. > > On 22 May 2011 08:47, Massimo Di Pierro <[email protected]> wrote: > > > > > > > > > There is something new and potentially very important for web2py. > > Example: > > > @auth.requires_login() > > def index(): > > link = A('click me',_href=URL('callback',user_signature=True)) > > return dict(link=link) > > > @auth.requires_signature() # NEW!! > > def callback(): > > return dict(hello='hello world') > > > explanation: > > > URL(..., user_signature=True) signs the URL using a hmac key that is > > private of the user. > > @auth.requires_signature() forces the following function to check for > > signature. Nobody can call the function but the user that got the link > > in the first place. The link is only valid for that user as long as > > the user is logged in. If the user logout (even if he/she logs in > > again) the link is no longer valid. > > > You can also use it with {{=LOAD(...,user_signature=True)}}. > > > This makes very easy to secure ajax calls and many parts of the code. > > Basically if you display a link to a user and the link points to a > > decorated function, the user has access (for the duration of the > > session only). Nobody else has access. > > > Comments suggestions for improvement? > > Let me know if you try it and if you like it. > > > jqgid in plugin_wiki has a vulnerability that is fixed by this > > mechanism. The fixed plugin_wiki can be found > > inhttp://code.google.com/p/cube2py/. > > It will be posted again with the new web2py stable. > > > Ideally I would like to use a generalization of this for federated > > access control. Now completely sure how yet. > > > Massimo
