you're missing a point: separation of what is executed by python and what
is executed by javascript.
user_signature takes into consideration a/c/f , args AND vars.
your URL link in the onkeyup attribute is generated by python, but then
ajax() takes the values presented in the form (in your case, while the user
is typing values) and post those to the original URL (as vars).
python can't know in advance what values the user will type, and javascript
(ajax()) can't sign the "resulting url" because of two things:
- it doesn't know what hmac_key to use ('cause only the server knows what
is it, that's the whole point of user_signature)
- it doesn't know HOW to create the signature
If you need signed URLs, you need to verify the url without taking vars
into consideration.
Please review the book about the signature process...
http://web2py.com/books/default/chapter/29/04/the-core?search=signed#Digitally-signed-urls
BTW: auth.requires_signature() takes hash_vars as a parameter too.
On Wednesday, March 19, 2014 10:18:38 PM UTC+1, Mike Constabel wrote:
>
> Doesn't work. The generated HTML code:
>
> <input id="keyword" name="keyword" onkeyup="ajax(URL('callback',
> ['keyword', 'stype'], user_signature=True),
> 'target');" type="text" />
>
>
>
> Am Mittwoch, 19. März 2014 16:31:41 UTC+1 schrieb LightDot:
>>
>> Try:
>>
>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>> ['keyword', 'stype'], user_signature=True), 'target');"), _name=
>> "search_type")))
>>
>> Regards
>>
>> On Wednesday, March 19, 2014 1:59:38 PM UTC+1, Mike Constabel wrote:
>>>
>>> Hi,
>>>
>>> in a form i have
>>>
>>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>>> ['keyword', 'stype']), 'target');"), _name="search_type")))
>>>
>>> If a text is entered, callback is called an some text is displayed in
>>> target. This works.
>>>
>>> But now I want to sign the URL.
>>>
>>> If I add @auth.requires_signature() to callback function, it no longer
>>> works. The ajax call must be signed.
>>>
>>> @auth.requires_signature()
>>> def callback():
>>> return P("foo")
>>>
>>> But how can I add "user_signature=True" to the code above so that the
>>> ajax call will be signed?
>>>
>>> Regards,
>>> Mike
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
