[web2py] Re: @auth.requires_signature won't authenticate SQLFORM.grid signed paginate URL

Thu, 30 May 2013 15:45:25 -0700 

I need to verify that the right person can get to the grid, but once that 
is established, let the grid handle verification. 

Something along the lines of this would be the best action?

def other():

    # If there are vars, assume grid is supplying and let it check the key
    if len(request.vars) >= 1:
        pass

    # If no vars, see if this link is valid
    elif URL.verify():
        pass

    # Neither condition is True, must be invalid, redirect
    else:
        redirect

    return SQLFORM.grid()

On Thursday, May 30, 2013 8:57:34 AM UTC-4, Anthony wrote:
>
> The grid does it's own URL signature verification, so you should not use 
> the @auth.requires_signature decorator. I believe the difference is that 
> @auth.requires_signature expects the URL vars to be included in the hash, 
> but the grid excludes the vars. If you need to separately verify the 
> signature to prevent any access to the function at all, you can directly 
> call the URL.verify() function within the other() function.
>
> Anthony
>
> On Thursday, May 30, 2013 2:12:31 AM UTC-4, Wes Hall wrote:
>>
>> Using MDP's example from here: 
>> https://groups.google.com/d/msg/web2py/VBrm6B6-Pdk/sG_h9Ane8zQJ and the 
>> manual's suggestion for digitally signed urls:
>>
>> @auth.requires_membership('admin'):
>> def index()
>>     link = URL('other',user_signature=True) #1
>>     return dict(link=link)
>>
>> @auth.requires_signature()  #2
>> def other():
>>     return dict(message='hello world')
>>
>> I have added a SQLFORM.grid in other(). Everything works fine except for 
>> the pagination links. The requires_signature decorator for other() won't 
>> accept the signed URL from the grid, and the user is redirected to the 
>> access denied/not authorized page.
>>
>> Link from index(): 
>> ...other/29?_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd
>> page2 link from other() 
>> grid: ...other/29?page=2&_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd
>>
>> I tried removing the requires_signature() decorator, and the pagination 
>> works correctly. It appears as though both URL(user_signature=True) and 
>> SQLFORM.grid(user_signature=True) hash the signature the same, but 
>> @auth.requires_signature and SQLFORM.grid verify the signatures differently.
>>
>> If that is a fair or accurate statement, how should I work around this?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to