Note, you can probably even use an auth decorator, similar to checking for
ajax-loaded components via request.cid (see
http://www.web2py.com/book/default/chapter/13#Trapped-Ajax-Links).
@auth.requires(request.env.http_web2py_component_location)
def some_block():
Also, note that testing for request.env.http_web2py_component_location is
not a foolproof security measure -- I think it can be spoofed by simply
adding 'web2py-component-location' to the HTTP request headers (same goes
for testing for request.cid).
Anthony
On Tuesday, June 7, 2011 8:26:56 AM UTC-4, Anthony wrote:
> I don't think calls to LOAD are local requests (even with ajax=False) --
> the call to LOAD simply passes the original request environment to the
> component controller action.
>
> What you need is a way to determine if a request has come in via a call to
> LOAD. In that case, request.env should include
> http_web2py_component_location (as well as http_web2py_component_element),
> so you could test for that:
>
> def some_block():
> if request.env.http_web2py_component_location:
> do_smth()
> return dict(smth=smth)
> else:
> return None
> Anthony
>
> On Tuesday, June 7, 2011 1:32:43 AM UTC-4, LightOfMooN wrote:
>
>> What is logic of request.is_local?
>>
>> I tried use it to prevent direct access to some included blocks:
>>
>>
>> def index():
>> return dict()
>>
>> def some_block():
>> if request.is_local:
>> do_smth()
>> return dict(smth=smth)
>> else:
>> return None
>>
>>
>> index.html:
>> {{=LOAD('mycontroller', 'some_block', ajax=False)[0][0]}}
>>
>> so, I thought, web2py load function with ajax=False is called locally,
>> and content of "some_block" will be available in index.html, but not
>> by url /mycontroller/some_block.html
>>
>> But request.is_local returns False.
>>
>> Is there any other way to do it?
>> (check some secret vars or args is not good)
>
>
