"pbreit" above made me realize that when I was creating my first.html and second.html, I forgot to specify default/first and default/second and then click the create view, and not just first and second without the "default/". My bad! Thank you, pbreit!
I am happy that I posted this question because some interesting discussion was generated. Anthony, thank you for your input and explaining the motivation of introducing the generics change in newer version of web2py. It makes sense! For now I am still letting this "response.generic_patterns = ['*']" because I am just trying to follow the tutorial and learn web2py and then worry more about the security issues. Anthony, I do have a question though. Looking at your first approach, how do I even know what generic_patterns or views I need for my functions. Could you direct me to some documentation to read more about it? Again, I just started working with web2py so I am not familiar with all this generics. Your help will further on be appreciated! On Aug 30, 10:34 am, Anthony <[email protected]> wrote: > On Tuesday, August 30, 2011 1:31:56 PM UTC-4, Anthony wrote: > > > Yes. In general, you can take one of two approaches (or some combination): > > > - Be selective about which generic_patterns you enable for which > > specific requests -- only enable the specific generic views you need for > > specific functions. > > - Make sure your controller functions return only the variables and > > database records and fields that you are comfortable exposing to the > > public > > via generic views (i.e., don't return anything to the view that is not > > needed or is needed only conditionally for some authorized users). For > > example, in the view, don't do something like {{if auth.user:}}{{show > > some sensitive data returned by the controller action}} -- a generic > > view will expose the sensitive data because it won't check for auth.user. > > > I should add that because it's fairly easy to slip up regarding the second > > approach, it's probably wise to rely more on the first approach (i.e., be > explicit whenever you are enabling a generic view). > > Anthony
