Not a stupid question. Consider this code:
def index():
if user_has_permission_to_call_other():
link = A('click',_href=URL('other'))
else:
link = DIV('do nothing')
return dict()
def other():
if not user_has_permission_to_call_other():
redirect(URL('index'))
return dict()
The code is checking twice whether the
user_has_permission_to_call_other. You must check twice else you
display the link to users who do not have access or you expose the url
to users who do not have access. The same problem applies to
callbacks. Now you can do:
def index():
if user_has_permission_to_call_other():
link = A('click',_href=URL('other',user_signature=True))
else:
link = DIV('do nothing')
return dict()
@auth.requires_signature()
def other():
return dict()
Now the check is done in one single place. The code is faster and
cleaner.
The url in the link is "signed" by appending a ?_signature=<code> that
is only valid for this user during this session. Even if URL('other')
where to be made public accidentally, nobody else could access it. The
signature (the <code> string) is a HMAC hash using private key for the
session. It contains a hash of the full url including all parameters
passed to it.
On Jun 1, 2:38 pm, szimszon <szims...@gmail.com> wrote:
> - URL(...,user_signature=True), LOAD(...,user_signature=True) can sign
> urls and @auth.requires_signature() will check the signature for any
> decorated action.
>
> Sorry for a stupid question but what is an url signature how does it work?
