adding username or email (based on auth preferences) is needed .... showing the password in the parameter is really this bad ?
On 1 Feb, 22:12, Niphlod <niph...@gmail.com> wrote: > bump .... > > On Jan 26, 9:42 pm, Niphlod <niph...@gmail.com> wrote: > > > Hello, I'm working on integrating uploadify with web2py.... > > Unfortunately uploadify doesn't use cookies at all when posting the > > files so if I want to "assign" an user to an uploaded file I need to > > secure the "receiving" function somehow. > > Uploadify can definitely add a parameter on every POST it does on the > > receiving page .... I'm not sure how to secure the access to that > > page. When uploadify is initalized the user is known in advance, so > > specifyng the parameter(s) is not a problem. > > > I don't see any method to retrieve current "active" sessions (I did a > > quick look into gluon folder) ... but at least it comes to my mind > > that I can put the user password as it is stored on the database > > (hashed with the random key) as a parameter and then retrieve the user > > querying the auth_user table.... > > In this way I think the user is uniquely identified (or do I need to > > put also the username in the mix?) ... If he/she can upload a file > > forging a POST instead of accessing the site is a minor problem .... > > if that can be fixed is a plus. > > > Does anyone have a better idea ? Is that implementation secure ? > > > a snippet is better than a thousand words .... > > > def receiver_page(): > > session.forget() > > #user detection ........ fill the blanks > > ... > > ... > > detected_user = x > > #end user detection.... > > db.uploaded_files.insert(content=db.uploaded_files.store(stream, > > filename), > > user_id=detected_user) > > > I know a session.forget() and wanting to know which user is accessing > > the page is kind of nonsense but nevertheless I'd like to do it :P
