[web2py] Re: IS_EMPTY_OR(IS_IN_DB incompatible with custom form?
El martes, 26 de agosto de 2014 22:49:17 UTC+2, Anthony escribió:
>
>
>
> On Tuesday, August 26, 2014 3:13:35 PM UTC-4, José L. wrote:
>>
>> Hi, I'm using a custom form to represent the fields of a table. This
>> table has referenced fields.
>> If I use:
>> db.define_table('department',
>> Field('dept_id'),
>> Field('nombre'),format='%(nombre)s')
>>
>> db.define_table('employee',
>> Field('firstName'),
>> Field('lastName'),
>> Field('dept_id', db.department))
>>
>> The table employee represents correctly the dept names. But if I do:
>>
>>
>> db.define_table('employee',
>> Field('firstName'),
>> Field('lastName'),
>> Field('dept_id', db.department), requires=IS_EMPTY_OR(IS_IN_DB(db,
>> db.department.id,
>> '%(nombre)s')))
>>
>
> I assume the above is a typo -- should be:
>
> Field('dept_id', db.department, requires=IS_EMPTY_OR(IS_IN_DB(db, db.
> department.id,
> '%(nombre)s'
>
>
Yes, it was a typo.
> {{=form.custom.widget.dept_id}} shows the departament id instead of the
>> name.
>> I need to add the "IS_EMPTY_OR" condition, I've also tried adding
>> notnull=False without success.
>>
>
> Are you saying that in a create or update form, the select dropdown
> includes a list of IDs rather than names, or that in a grid or read-only
> form you see IDs rather than names? The former should not be the case, and
> when I try it, I see a list of names. If the latter is the problem, that is
> because you have not defined a "represent" attribute for the dept_id field
> (if you explicitly specify a "requires" argument when defining a reference
> field, you do not get the automatic "represent" attribute defined, so you
> have to define that explicitly as well).
>
> Anthony
>
It was the latter case. It worked when using a create form but not with the
view. I didn't know that requires removed the "representation", I can not
recall reading that in the documentation either. Now it works perfectly in
both cases adding the represent attribute to the field definition:
represent = lambda id, row: db.department._format % db.department(id)
Thanks very much for your help.
José L.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Delegated validation in an SQLFORM
I'm trying to build a form based on Google Places (geocoding) based on the
following table:
db.define_table('place',
Field('address'),
Field('street_number'),
Field('route'),
Field('locality'),
Field('lat'),
Field('lng'),
)
All fields except 'address' are rendered in the form as hidden inputs.
I want my form to be validated if and only if 'lat' and 'lng' are not empty.
If I put a validator like IS_FLOAT_IN_RANGE(), these fields are indeed
validated but since they are hidden there is no error message displayed.
Is there a way to invalidate 'address' if 'lat' or 'lng' is empty ? If so,
I could then display an error message attached to the input users actually
type into.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Delegated validation in an SQLFORM
use an onvalidate call that do the checks on lat and lng but adds the error
on address.
On Wednesday, August 27, 2014 11:50:42 AM UTC+2, Louis Amon wrote:
>
> I'm trying to build a form based on Google Places (geocoding) based on the
> following table:
>
> db.define_table('place',
> Field('address'),
> Field('street_number'),
> Field('route'),
> Field('locality'),
> Field('lat'),
> Field('lng'),
> )
>
> All fields except 'address' are rendered in the form as hidden inputs.
>
> I want my form to be validated if and only if 'lat' and 'lng' are not
> empty.
>
>
> If I put a validator like IS_FLOAT_IN_RANGE(), these fields are indeed
> validated but since they are hidden there is no error message displayed.
>
>
> Is there a way to invalidate 'address' if 'lat' or 'lng' is empty ? If
> so, I could then display an error message attached to the input users
> actually type into.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Delegated validation in an SQLFORM
You mean something like that ?
def my_validator(form):
if form.vars['lat'] == '' or form.vars['lng'] == '':
form.errors['address'] = "address isn't precise enough"
But then wouldn't the form be accepted anyway since onvalidation is called
when every field passes validation ?
On Wednesday, August 27, 2014 12:08:46 PM UTC+2, Niphlod wrote:
>
> use an onvalidate call that do the checks on lat and lng but adds the
> error on address.
>
> On Wednesday, August 27, 2014 11:50:42 AM UTC+2, Louis Amon wrote:
>>
>> I'm trying to build a form based on Google Places (geocoding) based on
>> the following table:
>>
>> db.define_table('place',
>> Field('address'),
>> Field('street_number'),
>> Field('route'),
>> Field('locality'),
>> Field('lat'),
>> Field('lng'),
>> )
>>
>> All fields except 'address' are rendered in the form as hidden inputs.
>>
>> I want my form to be validated if and only if 'lat' and 'lng' are not
>> empty.
>>
>>
>> If I put a validator like IS_FLOAT_IN_RANGE(), these fields are indeed
>> validated but since they are hidden there is no error message displayed.
>>
>>
>> Is there a way to invalidate 'address' if 'lat' or 'lng' is empty ? If
>> so, I could then display an error message attached to the input users
>> actually type into.
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Delegated validation in an SQLFORM
there are two steps, the requirements on the fields themselves and the
onvalidation call. that's before form.process() comes into the mix.
form.process().accepted is true only when there are no form.errors.
Since you're adding them in the onvalidation call, the form is processed,
but not accepted.
On Wednesday, August 27, 2014 1:45:21 PM UTC+2, Louis Amon wrote:
>
> You mean something like that ?
> def my_validator(form):
>if form.vars['lat'] == '' or form.vars['lng'] == '':
>form.errors['address'] = "address isn't precise enough"
>
>
> But then wouldn't the form be accepted anyway since onvalidation is
> called when every field passes validation ?
>
>
> On Wednesday, August 27, 2014 12:08:46 PM UTC+2, Niphlod wrote:
>>
>> use an onvalidate call that do the checks on lat and lng but adds the
>> error on address.
>>
>> On Wednesday, August 27, 2014 11:50:42 AM UTC+2, Louis Amon wrote:
>>>
>>> I'm trying to build a form based on Google Places (geocoding) based on
>>> the following table:
>>>
>>> db.define_table('place',
>>> Field('address'),
>>> Field('street_number'),
>>> Field('route'),
>>> Field('locality'),
>>> Field('lat'),
>>> Field('lng'),
>>> )
>>>
>>> All fields except 'address' are rendered in the form as hidden inputs.
>>>
>>> I want my form to be validated if and only if 'lat' and 'lng' are not
>>> empty.
>>>
>>>
>>> If I put a validator like IS_FLOAT_IN_RANGE(), these fields are indeed
>>> validated but since they are hidden there is no error message displayed.
>>>
>>>
>>> Is there a way to invalidate 'address' if 'lat' or 'lng' is empty ? If
>>> so, I could then display an error message attached to the input users
>>> actually type into.
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] approve my post for dev group
Hi all, Could someone approve my post on the developers group? Thanks! Quint -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: approve my post for dev group
Done. And thanks for the contribution. Anthony On Wednesday, August 27, 2014 8:44:00 AM UTC-4, Quint wrote: > > Hi all, > > Could someone approve my post on the developers group? > > Thanks! > > Quint > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: concurrency, web2py, and GAE
Was this threading problem resolved? On Saturday, August 18, 2012 7:15:37 AM UTC+2, Massimo Di Pierro wrote: > > I am pretty sure web2py does not put those variables in global namespace > but there is some extra logic for GAE that was written with some stronger > assumptions. Will take a look. > > > On Tuesday, 21 February 2012 14:54:31 UTC-6, howesc wrote: >> >> Hello all, >> >> a question about web2py and concurrent requests on GAE - I'm seeing some >> odd behavior and i would like to know if my theory is at all reasonable, >> and suggestions for testing my theory. an RTFM (read the friggen manual) >> response is just fine - can you point me to the manual? >> >> my assertion: on GAE web2py puts per-request items into the shared >> global namespace, such as db and auth. this causes problems on GAE with >> concurrency enabled because data gets clobbered. >> >> why do i believe this? well, i turned on concurrency (threadsafe: true) >> in app.yaml and after some time as the site gets loaded with real users (i >> have not run into this when testing probably because i don't generate >> enough test traffic) i see errors like: >> >> File >> "/base/data/home/apps/s~myapp/default-30a0bc01f698.356965928401701861/applications/myapp/controllers/admin_stores.py", >> line 10, in >> auth.settings.actions_disabled=['profile', 'change_password'] >> NameError: name 'auth' is not defined >> >> AttributeError: 'auth_user' object has no attribute 'preferred_store' >> >> File >> "/base/data/home/apps/s~myapp/default-30a0bc01f698.356965928401701861/applications/myapp/controllers/order.py", >> line 12, in >> db.store.virtualfields.append(StoreVirtualFields()) >> NameError: name 'db' is not defined >> >> >> File >> "/base/data/home/apps/s~myapp/default-30a0bc01f698.356965928401701861/applications/myapp/controllers/food.py", >> line 22, in menu >> response.title = response.title + " - Our Menu" >> TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' >> >> i'd love to prove or disprove my theory that what is happening is that >> while the request that errors is being processed, db.py (and menu.py) is >> being evaluated for a second request, essentially clearing variables like >> db, auth, and perhaps even response (the None response.title when >> response.title is set in menu.py is most concerning). >> >> i admit to not fully understanding how the run_X_in_environment(), and >> build_environment() and python variable scoping works well enough to know >> if my theory is valid and how best to test my theory? i've thought about >> putting a sleep in db.py just to see if i can reliably re-create this type >> of behaviour. >> >> any thoughts? >> >> thanks, >> >> christian >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Can't get web2py working with GAE locally
Would be worth mentioning this in the book. On Saturday, January 4, 2014 3:25:17 AM UTC+1, Massimo Di Pierro wrote: > > It is in handlers/gaehandler.py > There reason we moved is that we do now want to pollute the main folder > and we do now want to overwrote any changes you may have to make to it upon > upgrade. You have to > > cp handlers/gaehandler.py ./ > > > On Thursday, 2 January 2014 20:33:35 UTC-6, Jaime Sempere wrote: >> >> Hi everyone, this is driving me mad. >> >> I used web2py and GAE one year ago and I liked a lot, fast and easy to >> work with gae. Now that I wanted to start another app, I have download GAE >> and Web2Py again (for having last releases and starting in a clean&new >> folder). >> >> So, first change that I see is that when I run dev_appserver from GAE >> forces to use python 2.7. My first guess then, is that I need to change >> gaehandler in app.yaml and leave the code like this: >> >> application: myapp >> version: 1 >> api_version: 1 >> >> >> #script: gaehandler.py # CGI >> script: gaehandler.wsgiapp# WSGI (Python 2.7 only) >> secure: optional >> >> But when I do a http://localhost:8080/ >> >> I obtain this error in console: >> >> ERROR2014-01-03 02:25:39,821 wsgi.py:262] >> Traceback (most recent call last): >> File >> "/home/mrkite/DesarrolloATUBETV/google_appengine/google/appengine/runtime/wsgi.py", >> >> line 239, in Handle >> handler = _config_handle.add_wsgi_middleware(self._LoadHandler()) >> File >> "/home/mrkite/DesarrolloATUBETV/google_appengine/google/appengine/runtime/wsgi.py", >> >> line 298, in _LoadHandler >> handler, path, err = LoadObject(self._handler) >> File >> "/home/mrkite/DesarrolloATUBETV/google_appengine/google/appengine/runtime/wsgi.py", >> >> line 84, in LoadObject >> obj = __import__(path[0]) >> ImportError: No module named gaehandler >> INFO 2014-01-03 02:25:39,834 module.py:617] default: "GET / HTTP/1.1" >> 500 - >> INFO 2014-01-03 02:25:40,208 module.py:617] default: "GET >> /favicon.ico HTTP/1.1" 304 - >> >> >> >> >> And of course I can't see any html returned. Why gaehandler is missing? >> >> I can reach localhost:8001/myapp (web2py server) >> But not localhost:8080 (gae) >> >> And second question: for running my appGAE locally do I need to have >> running web2py server? I used to have both running, but now I have seen >> that I need to change default port 8000 to other (i.e. 8001), because gae >> is using 8000 and 8080. >> >> >> Any help would be very appreciated. Thank you >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Registration passworld field security risk on form failure?
Under the Net tab in Firebug, the Post contains the submitted variables, and the response tab is the HTML of the returned page. This response contains the password input value in plain text. If I submitted the password as "asdf" and submitted the registration form with failures, the response will contain this (as shown in the net tab): Does no one else experience this behavior? On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: > > Using the same Firebug, look at the Net tab - look at your post and the > response. > > > On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: >> >> Looking at the password input through Firebug/developer tools, and the >> value of the password input is the plaintext of the password I entered. >> >> I have a test site here: >> http://tedlee.pythonanywhere.com/welcome/default/user/register >> >> Typing in a password and failing registration will return that password. >> Is this just the behavior of a modern browser (to remember failed inputs), >> or is it web2py form handling? >> >> In the case that web2py did only return asterisks, wouldn't that be very >> misleading to the user? Because the password input is masked, they would >> assume that the returned password value (after registration failure) was >> what they previously had typed, not a password replaced with asterisks. >> Thus on re-submitting the form, they would not think to alter the password >> and would just submit a password with asterisks. >> >> On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >>> >>> Have you actually looked at it? I believe it just returns asterisks. >>> >>> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: I am currently looking into whether or not password fields should be cleared on registration error after the form fails server-side validation. At the moment, web2py shows the password after a registration error, instead of leaving it blank. While this may make editing the password easier (in case there are pw errors), it seems to pose a security risk because you are sending the password back to the client in plain text. To my understanding, this would allow the page to be cached with the password's value in plain text. I tested this on a variety of browsers and systems, so to the best of my knowledge this is behavior is not unique to a browser. Does this pose a reasonable security risk? Some reference links: http://ux.stackexchange.com/questions/3/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Registration passworld field security risk on form failure?
It got posted to the developer list yesterday, so it would seem at least some of the maintainers think it's an issue worth discussion. On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: > > Under the Net tab in Firebug, the Post contains the submitted variables, > and the response tab is the HTML of the returned page. This response > contains the password input value in plain text. > > If I submitted the password as "asdf" and submitted the registration form > with failures, the response will contain this (as shown in the net tab): > "password" value="asdf" /> > > Does no one else experience this behavior? > > On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: >> >> Using the same Firebug, look at the Net tab - look at your post and the >> response. >> >> >> On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: >>> >>> Looking at the password input through Firebug/developer tools, and the >>> value of the password input is the plaintext of the password I entered. >>> >>> I have a test site here: >>> http://tedlee.pythonanywhere.com/welcome/default/user/register >>> >>> Typing in a password and failing registration will return that password. >>> Is this just the behavior of a modern browser (to remember failed inputs), >>> or is it web2py form handling? >>> >>> In the case that web2py did only return asterisks, wouldn't that be very >>> misleading to the user? Because the password input is masked, they would >>> assume that the returned password value (after registration failure) was >>> what they previously had typed, not a password replaced with asterisks. >>> Thus on re-submitting the form, they would not think to alter the password >>> and would just submit a password with asterisks. >>> >>> On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: Have you actually looked at it? I believe it just returns asterisks. On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: > > I am currently looking into whether or not password fields should be > cleared on registration error after the form fails server-side > validation. > At the moment, web2py shows the password after a registration error, > instead of leaving it blank. While this may make editing the password > easier (in case there are pw errors), it seems to pose a security risk > because you are sending the password back to the client in plain text. To > my understanding, this would allow the page to be cached with the > password's value in plain text. > > I tested this on a variety of browsers and systems, so to the best of > my knowledge this is behavior is not unique to a browser. > > Does this pose a reasonable security risk? > > Some reference links: > > http://ux.stackexchange.com/questions/3/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation > > http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: How can I set correctly auth.settings.registration_requires_verification = False ?
Hi people, please do you have any idea on the way i can avoid the register_key verification ? Thank You Il giorno lunedì 4 agosto 2014 10:39:26 UTC+2, Luca Guerrieri ha scritto: > > Goodmornig people, > I've customized registration form and relative view, for integrating the > registration > process with Active Directory (asap I'll post on webslices my results :-) ) > But ... I've a problem ... and I'm not able to resolve correctly ... > > in db.pt I've set > > ## configure auth policy > auth.settings.registration_requires_verification = False > auth.settings.registration_requires_approval = False > auth.settings.reset_password_requires_verification = True > > so it means that if a new user registers after submit he will be able to > make login without register_key verification etc... right? > > it seems it's not so after registration I've the registration_key > filled with the key and I've to clear if i want to permit loging > to the user ... > > What is wrong ? > > > Thank you for your help > > Luca > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: Registration passworld field security risk on form failure?
This problem was patched here today: https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736 On Wed, Aug 27, 2014 at 10:40 AM, Willoughby wrote: > It got posted to the developer list yesterday, so it would seem at least > some of the maintainers think it's an issue worth discussion. > > > On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: >> >> Under the Net tab in Firebug, the Post contains the submitted variables, >> and the response tab is the HTML of the returned page. This response >> contains the password input value in plain text. >> >> If I submitted the password as "asdf" and submitted the registration form >> with failures, the response will contain this (as shown in the net tab): >> > "password" value="asdf" /> >> >> Does no one else experience this behavior? >> >> On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: >>> >>> Using the same Firebug, look at the Net tab - look at your post and the >>> response. >>> >>> >>> On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: Looking at the password input through Firebug/developer tools, and the value of the password input is the plaintext of the password I entered. I have a test site here: http://tedlee.pythonanywhere. com/welcome/default/user/register Typing in a password and failing registration will return that password. Is this just the behavior of a modern browser (to remember failed inputs), or is it web2py form handling? In the case that web2py did only return asterisks, wouldn't that be very misleading to the user? Because the password input is masked, they would assume that the returned password value (after registration failure) was what they previously had typed, not a password replaced with asterisks. Thus on re-submitting the form, they would not think to alter the password and would just submit a password with asterisks. On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: > > Have you actually looked at it? I believe it just returns asterisks. > > On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >> >> I am currently looking into whether or not password fields should be >> cleared on registration error after the form fails server-side >> validation. >> At the moment, web2py shows the password after a registration error, >> instead of leaving it blank. While this may make editing the password >> easier (in case there are pw errors), it seems to pose a security risk >> because you are sending the password back to the client in plain text. To >> my understanding, this would allow the page to be cached with the >> password's value in plain text. >> >> I tested this on a variety of browsers and systems, so to the best of >> my knowledge this is behavior is not unique to a browser. >> >> Does this pose a reasonable security risk? >> >> Some reference links: >> http://ux.stackexchange.com/questions/3/why-do-most- >> create-account-forms-clear-the-password-fields-upon-wrong-validation >> http://ux.stackexchange.com/questions/20418/when-form- >> submission-fails-password-field-gets-blanked-why-is-that-the-case >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/5zmTyjSlr5E/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: Registration passworld field security risk on form failure?
Thanks for pointing this out. Anthony On Wednesday, August 27, 2014 5:54:15 PM UTC-4, Mark Li wrote: > > This problem was patched here today: > https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736 > > > On Wed, Aug 27, 2014 at 10:40 AM, Willoughby > wrote: > >> It got posted to the developer list yesterday, so it would seem at least >> some of the maintainers think it's an issue worth discussion. >> >> >> On Wednesday, August 27, 2014 1:11:57 PM UTC-4, Mark Li wrote: >>> >>> Under the Net tab in Firebug, the Post contains the submitted variables, >>> and the response tab is the HTML of the returned page. This response >>> contains the password input value in plain text. >>> >>> If I submitted the password as "asdf" and submitted the registration >>> form with failures, the response will contain this (as shown in the net >>> tab): >>> >> "password" value="asdf" /> >>> >>> Does no one else experience this behavior? >>> >>> On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: Using the same Firebug, look at the Net tab - look at your post and the response. On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: > > Looking at the password input through Firebug/developer tools, and the > value of the password input is the plaintext of the password I entered. > > I have a test site here: http://tedlee.pythonanywhere. > com/welcome/default/user/register > > Typing in a password and failing registration will return that > password. Is this just the behavior of a modern browser (to remember > failed > inputs), or is it web2py form handling? > > In the case that web2py did only return asterisks, wouldn't that be > very misleading to the user? Because the password input is masked, they > would assume that the returned password value (after registration > failure) > was what they previously had typed, not a password replaced with > asterisks. > Thus on re-submitting the form, they would not think to alter the > password > and would just submit a password with asterisks. > > On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >> >> Have you actually looked at it? I believe it just returns asterisks. >> >> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >>> >>> I am currently looking into whether or not password fields should be >>> cleared on registration error after the form fails server-side >>> validation. >>> At the moment, web2py shows the password after a registration error, >>> instead of leaving it blank. While this may make editing the password >>> easier (in case there are pw errors), it seems to pose a security risk >>> because you are sending the password back to the client in plain text. >>> To >>> my understanding, this would allow the page to be cached with the >>> password's value in plain text. >>> >>> I tested this on a variety of browsers and systems, so to the best >>> of my knowledge this is behavior is not unique to a browser. >>> >>> Does this pose a reasonable security risk? >>> >>> Some reference links: >>> http://ux.stackexchange.com/questions/3/why-do-most- >>> create-account-forms-clear-the-password-fields-upon-wrong-validation >>> http://ux.stackexchange.com/questions/20418/when-form- >>> submission-fails-password-field-gets-blanked-why-is-that-the-case >>> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/5zmTyjSlr5E/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> web2py+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
