Thanks On Mon, Feb 27, 2012 at 2:58 PM, Massimo Di Pierro < [email protected]> wrote:
> I am treating this as a bug. now fixed in trunk. > > On Feb 27, 2:07 pm, Anthony <[email protected]> wrote: > > In > > > > URL('adviewer', 'savesettings/location', user_signature=True) > > > > the URL() function sees function='savesettings/location' and args=None. > > However, when a request is made to the URL generated by the above, the > > function that verifies the signature sees function='savesettings' and > > args='location'. The problem is, function='savesettings' and > > args='location' does not generate the same signature as > > function='savesettings/location' and args=None. The reason is that when > > generating the signature, the extension is first added to the function > > before concatenating the args, so when the signature is first generated, > it > > is a hash of a URL that includes "/savesettings/location.html", but when > > verified, the signature is a hash of a URL that includes > > "/savesettings.html/location". Therefore, the hashes won't match because > > they are created from different strings. > > > > Is there any reason you are using the above rather than: > > > > URL('adviewer', 'savesettings', args='location', user_signature=True) > > > > which is really the correct way to use the URL() function? If you > > explicitly specify "location" as the args argument to URL(), I think it > > should work. > > > > Anthony > > > > > > > > > > > > > > > > On Monday, February 27, 2012 1:22:25 PM UTC-5, Detectedstealth wrote: > > > > > Ok it looks like the bug is related to: > > > > > URL('action/additional_parms', user_signature=True) if you have > something > > > in addition to the action @auth.requires_signature fails. > > > > > When using: FORM(_action=URL('adviewer','savesettings/location', > > > user_signature=True)) or redirect(URL('payment/%s' % > > > has_unpaid_orders.access_key, user_signature=True)) with > > > @auth.requires_signature() on the action it fails with access denied. > > > > > On Wed, Feb 22, 2012 at 3:19 PM, Bruce Wade <[email protected]> > wrote: > > > > >> When using user_signature=True in a form that action goes to another > > >> method and that method has @auth.requires_signature I am getting > access > > >> denied, if I remove the @auth.requires_signature I still see the > signature > > >> but don't have the access denied message. > > > > >> FORM: > > >> # adviewer.viewads(); > > > > >> locationform=FORM( > > >> DIV( > > >> SELECT(countries_options,_id='by-country',_name='country', > > >> _onchange="updateProvinces(this)", value=selected_country), > > >> _id='country_options', _class='filter-selects' > > >> ), > > >> DIV( > > >> SELECT(provinces_options,_id='by-province', > > >> _name='province_state',_onchange="updateCities(this)", > > >> value=selected_province), > > >> _id='province_options', _class='filter-selects' > > >> ), > > >> DIV(SELECT( > > >> cities_options,_id='by-province', _name='city', > > >> value=selected_city), > > >> _id='city_options', _class='filter-selects' > > >> ), > > >> DIV(_class='clear'), > > >> INPUT(_type='submit', _value='Save', _class='filter-btn'), > > >> _name='locationform', > > >> _action=URL('adviewer','savesettings/location', > > >> user_signature=True) > > >> ) > > > > >> Capture Method: > > >> # adviewer.savesettings() > > >> // URL submitted to this method: > > >>http://127.0.0.1:8000/zh/adviewer/savesettings/location?_signature=82. > .. > > >> @auth.requires_login() > > >> @auth.requires_signature() # If I remove this there is no access > denied. > > >> def savesettings(): > > >> print request.vars > > >> print request.args(0) > > >> from youadAPI.adviewer_api import AdViewerEngine > > >> if request.args(0) == 'location': > > >> adviewer_engine.update_or_create_adviewer_settings( > > >> AdViewerEngine.location, > > >> dict( > > >> country=request.vars['country'], > > >> province=request.vars['province_state'], > > >> city=request.vars['city'] > > >> ) > > >> ) > > >> elif request.args(0) == 'language': > > >> adviewer_engine.update_or_create_adviewer_settings( > > >> AdViewerEngine.language, > > >> dict( > > >> language = request.vars['language'] > > >> ) > > >> ) > > >> elif request.args(0) == 'keywords': > > >> adviewer_engine.update_or_create_adviewer_settings( > > >> AdViewerEngine.keywords, > > >> dict( > > >> keywords = request.vars['keywords'] > > >> ) > > >> ) > > > > >> -- > > >> -- > > >> Regards, > > >> Bruce Wade > > >>http://ca.linkedin.com/in/brucelwade > > >>http://www.wadecybertech.com > > >>http://www.warplydesigned.com > > >>http://www.fitnessfriendsfinder.com > > > > > -- > > > -- > > > Regards, > > > Bruce Wade > > >http://ca.linkedin.com/in/brucelwade > > >http://www.wadecybertech.com > > >http://www.warplydesigned.com > > >http://www.fitnessfriendsfinder.com > -- -- Regards, Bruce Wade http://ca.linkedin.com/in/brucelwade http://www.wadecybertech.com http://www.warplydesigned.com http://www.fitnessfriendsfinder.com
