In
URL('adviewer', 'savesettings/location', user_signature=True)
the URL() function sees function='savesettings/location' and args=None.
However, when a request is made to the URL generated by the above, the
function that verifies the signature sees function='savesettings' and
args='location'. The problem is, function='savesettings' and
args='location' does not generate the same signature as
function='savesettings/location' and args=None. The reason is that when
generating the signature, the extension is first added to the function
before concatenating the args, so when the signature is first generated, it
is a hash of a URL that includes "/savesettings/location.html", but when
verified, the signature is a hash of a URL that includes
"/savesettings.html/location". Therefore, the hashes won't match because
they are created from different strings.
Is there any reason you are using the above rather than:
URL('adviewer', 'savesettings', args='location', user_signature=True)
which is really the correct way to use the URL() function? If you
explicitly specify "location" as the args argument to URL(), I think it
should work.
Anthony
On Monday, February 27, 2012 1:22:25 PM UTC-5, Detectedstealth wrote:
>
> Ok it looks like the bug is related to:
>
> URL('action/additional_parms', user_signature=True) if you have something
> in addition to the action @auth.requires_signature fails.
>
> When using: FORM(_action=URL('adviewer','savesettings/location',
> user_signature=True)) or redirect(URL('payment/%s' %
> has_unpaid_orders.access_key, user_signature=True)) with
> @auth.requires_signature() on the action it fails with access denied.
>
> On Wed, Feb 22, 2012 at 3:19 PM, Bruce Wade <[email protected]> wrote:
>
>> When using user_signature=True in a form that action goes to another
>> method and that method has @auth.requires_signature I am getting access
>> denied, if I remove the @auth.requires_signature I still see the signature
>> but don't have the access denied message.
>>
>> FORM:
>> # adviewer.viewads();
>>
>> locationform=FORM(
>> DIV(
>> SELECT(countries_options,_id='by-country',_name='country',
>> _onchange="updateProvinces(this)", value=selected_country),
>> _id='country_options', _class='filter-selects'
>> ),
>> DIV(
>> SELECT(provinces_options,_id='by-province',
>> _name='province_state',_onchange="updateCities(this)",
>> value=selected_province),
>> _id='province_options', _class='filter-selects'
>> ),
>> DIV(SELECT(
>> cities_options,_id='by-province', _name='city',
>> value=selected_city),
>> _id='city_options', _class='filter-selects'
>> ),
>> DIV(_class='clear'),
>> INPUT(_type='submit', _value='Save', _class='filter-btn'),
>> _name='locationform',
>> _action=URL('adviewer','savesettings/location',
>> user_signature=True)
>> )
>>
>> Capture Method:
>> # adviewer.savesettings()
>> // URL submitted to this method:
>> http://127.0.0.1:8000/zh/adviewer/savesettings/location?_signature=82ef7150a3c6eaac57032c8bd943b42789828025
>> @auth.requires_login()
>> @auth.requires_signature() # If I remove this there is no access denied.
>> def savesettings():
>> print request.vars
>> print request.args(0)
>> from youadAPI.adviewer_api import AdViewerEngine
>> if request.args(0) == 'location':
>> adviewer_engine.update_or_create_adviewer_settings(
>> AdViewerEngine.location,
>> dict(
>> country=request.vars['country'],
>> province=request.vars['province_state'],
>> city=request.vars['city']
>> )
>> )
>> elif request.args(0) == 'language':
>> adviewer_engine.update_or_create_adviewer_settings(
>> AdViewerEngine.language,
>> dict(
>> language = request.vars['language']
>> )
>> )
>> elif request.args(0) == 'keywords':
>> adviewer_engine.update_or_create_adviewer_settings(
>> AdViewerEngine.keywords,
>> dict(
>> keywords = request.vars['keywords']
>> )
>> )
>>
>> --
>> --
>> Regards,
>> Bruce Wade
>> http://ca.linkedin.com/in/brucelwade
>> http://www.wadecybertech.com
>> http://www.warplydesigned.com
>> http://www.fitnessfriendsfinder.com
>>
>
>
>
> --
> --
> Regards,
> Bruce Wade
> http://ca.linkedin.com/in/brucelwade
> http://www.wadecybertech.com
> http://www.warplydesigned.com
> http://www.fitnessfriendsfinder.com
>
