I have a form built as a table that displays many rows to allow users to
edit or delete the row. Originally, I used the classic hidden input plus a
submit button to pass the id of the row to the edit code via post_vars.
Now, the form is becoming more complicated to enable some other
functionality and it makes more sense to handle the edit and delete choices
with links formatted as buttons (very nice buttons that can be used as
span, div, or anchor come with web2py--thanks!) with the row id and return
action as args. But, I would like to try using the signed url feature.
With 15 rows by 2 actions, that would involve calculating the signature 30
times. Since there are only two actions catching the user's choice, there
is no reason for 30 distinct hmac_keys. What I tried to do was generate
one hmac_key and strip out the key to use when creating the get vars in the
30 urls.
The problem I ran into was that I could not create a get_var with a leading
underscore: ...., vars = dict(foo='bar',_signature=sig) results in a
url that has get_vars as in:
www.domain.com/app/action/72/return_action?foo=bar. In other words, the
get_var with the leading underscore doesn't appear in the url. I also
used a dictionary literal as the vars argument: ...., vars = {'foo' :
'bar', '_signature' : sig} with the same result. It seems like web2py
doesn't like creating a url with a dictionary key with a leading
underscore. I have got to assume (haven't tested it yet) that when I test
for the signature in the receiving action using URL.verify it won't accept
the signature if the leading underscore is missing as in
signature=fjruafj888ff9f9d6 ...
This seems unfortunate. This is just a sample app and has no data volume or
users so the computational overhead doesn't matter in practice. But, it
seems like I shouldn't have to calculate n signatures when I really only
need 1 (or at most 2). Code fragments follow...
This code generates and strips out the key:
# Create key for digitally signed url
key = str( time() - random.randint(1,999999) )
link = URL('action',hmac_key=key )
idx = link.rfind('_signature')
sig = link[idx+len('_signature='):]
Further down in my code I generate the URL as the _href for an anchor in a
table column:
...
TD(A('edit',_href=URL('an_action',args=[rows.row.id,'return_action'],vars={'foo'
:'foo','signature':sig}),_class='button'))
Anybody have any suggestions? I guess I should also ask if there are
bigger reasons this won't work: for instance, maybe the name of the action
is sort of salted into the calculated key, etc...
