You can use a digital signature: http://web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls
When creating the component, do LOAD(..., user_signature=True). Then decorate your component actions with @auth.requires_signature(). Anthony On Monday, March 7, 2016 at 3:58:25 PM UTC-5, Ben Lawrence wrote: > > Hi > > I just need a little advice here. > > There are logged in users on my website that are given permission to > access a particular html page. The page changes depending on the user > logged in. The controller decides on whether the user can access that page > or not. > > The html page calls LOADs. How do I properly secure these LOAD calls with > the same permission as the html parent? (Otherwise people can just put the > LOAD file address in the browser and see it.) > > Now, I am running the same database checks in the LOAD as in the html, so > there is duplication here. Should I use the http referrer > request.env.http_referer to check that the caller is correct or is there a > better way? > > Thanks for your time. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
