Hello, I'm working on integrating uploadify with web2py....
Unfortunately uploadify doesn't use cookies at all when posting the
files so if I want to "assign" an user to an uploaded file I need to
secure the "receiving" function somehow.
Uploadify can definitely add a parameter on every POST it does on the
receiving page .... I'm not sure how to secure the access to that
page. When uploadify is initalized the user is known in advance, so
specifyng the parameter(s) is not a problem.
I don't see any method to retrieve current "active" sessions (I did a
quick look into gluon folder) ... but at least it comes to my mind
that I can put the user password as it is stored on the database
(hashed with the random key) as a parameter and then retrieve the user
querying the auth_user table....
In this way I think the user is uniquely identified (or do I need to
put also the username in the mix?) ... If he/she can upload a file
forging a POST instead of accessing the site is a minor problem ....
if that can be fixed is a plus.
Does anyone have a better idea ? Is that implementation secure ?
a snippet is better than a thousand words ....
def receiver_page():
session.forget()
#user detection ........ fill the blanks
...
...
detected_user = x
#end user detection....
db.uploaded_files.insert(content=db.uploaded_files.store(stream,
filename),
user_id=detected_user)
I know a session.forget() and wanting to know which user is accessing
the page is kind of nonsense but nevertheless I'd like to do it :P
