No. requires_signature does not require login and serves a very different
purpose. It is designed to delegate authentication. If a user has
permission to access page A and the user is redirected to page B, A can
sign B to tell B the user can be trusted.
On Tuesday, 23 April 2019 00:49:37 UTC-7, João Matos wrote:
>
> Thanks for the workaround Anthony.
>
> I believe it should be the other way around. Grid should have the option
> hash_vars=True. I added the feature request in GH.
>
> I'm using HTTPS and these security measures (only one of them per action,
> depending on the need):
> - @auth.requires_login()
> - @auth.requires(ADMINISTRATOR_ROLE_ID in auth.user_groups)
> - @auth.requires(request.env.http_referer and ('/single_equip_opt' in
> request.env.http_referer or '/single_equip_opt/get_approval' in
> request.env.http_referer))
>
> Do you have any recommendations?
>
> My though in replacing the @auth.requires_login() with
> @auth.requires_signature() (I believe @auth.requires_signature() also
> requires login, correct?) was adding another security layer, but with the
> limitation you explained, I think I will not do it.
> What is your opinion on this?
>
> With this severe limitation to @auth.requires_signature(), in what
> situation do you recommend using it?
>
> Thanks,
>
> JM
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
