Just submitted a patch. Anthony
On Thursday, May 30, 2013 11:13:36 PM UTC-4, Anthony wrote: > > Perhaps we should just allow: > > @auth.requires_signature(hash_vars=False) > > Anthony > > On Thursday, May 30, 2013 9:27:45 PM UTC-4, Wes Hall wrote: >> >> Much "more simply". :) >> >> I had skipped right past the ability to ignore the vars when using >> URL.verify vs. auth.requires_signature. Should've read the docs more >> closely. >> >> Summary: If @auth.requires_signature is giving you problems due to vars >> changing on modified views, use URL.verify inside the function. >> >> On Thursday, May 30, 2013 9:04:52 PM UTC-4, Anthony wrote: >>> >>> Or more simply: >>> >>> def other(): >>> if not URL.verify(request, user_signature=True, hash_vars=False): >>> redirect(...) >>> return dict(grid=SQLFORM.grid(...)) >>> >>> Anthony >>> >>> On Thursday, May 30, 2013 6:44:59 PM UTC-4, Wes Hall wrote: >>>> >>>> I need to verify that the right person can get to the grid, but once >>>> that is established, let the grid handle verification. >>>> >>>> Something along the lines of this would be the best action? >>>> >>>> def other(): >>>> >>>> # If there are vars, assume grid is supplying and let it check the >>>> key >>>> if len(request.vars) >= 1: >>>> pass >>>> >>>> # If no vars, see if this link is valid >>>> elif URL.verify(): >>>> pass >>>> >>>> # Neither condition is True, must be invalid, redirect >>>> else: >>>> redirect >>>> >>>> return SQLFORM.grid() >>>> >>>> On Thursday, May 30, 2013 8:57:34 AM UTC-4, Anthony wrote: >>>>> >>>>> The grid does it's own URL signature verification, so you should not >>>>> use the @auth.requires_signature decorator. I believe the difference is >>>>> that @auth.requires_signature expects the URL vars to be included in the >>>>> hash, but the grid excludes the vars. If you need to separately verify >>>>> the >>>>> signature to prevent any access to the function at all, you can directly >>>>> call the URL.verify() function within the other() function. >>>>> >>>>> Anthony >>>>> >>>>> On Thursday, May 30, 2013 2:12:31 AM UTC-4, Wes Hall wrote: >>>>>> >>>>>> Using MDP's example from here: >>>>>> https://groups.google.com/d/msg/web2py/VBrm6B6-Pdk/sG_h9Ane8zQJ and >>>>>> the manual's suggestion for digitally signed urls: >>>>>> >>>>>> @auth.requires_membership('admin'): >>>>>> def index() >>>>>> link = URL('other',user_signature=True) #1 >>>>>> return dict(link=link) >>>>>> >>>>>> @auth.requires_signature() #2 >>>>>> def other(): >>>>>> return dict(message='hello world') >>>>>> >>>>>> I have added a SQLFORM.grid in other(). Everything works fine except >>>>>> for the pagination links. The requires_signature decorator for other() >>>>>> won't accept the signed URL from the grid, and the user is redirected to >>>>>> the access denied/not authorized page. >>>>>> >>>>>> Link from index(): >>>>>> ...other/29?_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>>>> page2 link from other() >>>>>> grid: >>>>>> ...other/29?page=2&_signature=663347d7a36b4eb34f6f07607f4a3b396f76e1cd >>>>>> >>>>>> I tried removing the requires_signature() decorator, and the >>>>>> pagination works correctly. It appears as though both >>>>>> URL(user_signature=True) and SQLFORM.grid(user_signature=True) hash the >>>>>> signature the same, but @auth.requires_signature and SQLFORM.grid verify >>>>>> the signatures differently. >>>>>> >>>>>> If that is a fair or accurate statement, how should I work around >>>>>> this? >>>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
