>
> I'm trying to reload a signed component passing parameters to it.
> Everything works great until I @auth.requires_signature() in the component
> action.
>
> The LOAD is:
>
> {{=LOAD('opportunity', 'listops.load', target='oplist', ajax=True,
> user_signature=True)}}
>
> var url = jQuery('#oplist').get(0).dataset.w2p_remote +'&'+ params;
> web2py_component(url, 'oplist');
>
> How can I use auth.requires_signature() and still reload the component
> with parameters?
>
By default, the signature is based on the full original URL, including the
query string, so you cannot append additional items to the query string and
still have the signature validate. There is an option both when generating
the signature and when verifying it to ignore the query string (or include
only specific variables from it), but unfortunately the LOAD() helper does
not provide a way to take advantage of that option directly. However, I
think you can generate your own URL for the LOAD() helper:
signed_url = URL('opportunity', 'listops.load', user_signature=True,
hash_vars=False)
LOAD(url=signed_url, target='oplist', ajax=True)
Above, setting hash_vars=False excludes the query string variables from the
hash generation. Note, this somewhat weakens the security of the signature,
as a user will be able to request a URL with any query string. If the
original URL does include some variables in the query string (i.e., not
generated via Javascript in the browser), you can include only those
variables in the hash via hash_vars=['list', 'of', 'variables']. In that
case, only the values of those specific variables will be checked.
Then the Auth decorator should be:
@auth.requires_signature(hash_vars=False)
Anthony
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
