[web2py] Problem with the authorization and downloads

Mon, 08 Aug 2011 08:05:41 -0700 

Hello All,

I am trying to re-create the authorization for downloads as described
in the web2py book < 
http://web2py.com/book/default/chapter/08#Authorization-and-Downloads
>
Unfortunately I cannot get to enforce the authorization and users, who
are not logged in still can download files.

My web2py version: Version 1.98.2 (2011-08-04 00:47:09)
Deployed with mod_wsgi: Running on Apache/2.2.15 (CentOS)

In my model db.py file after the auth = Auth(db) I have:
#--- cut ---
import datetime
db.define_table('uploads',
                Field('sender',db.auth_user),
 
Field('sent_on','datetime',default=datetime.datetime.now()),
                Field('subject','string',default=''),
                Field('message','text',length=2048,default=''),
                Field('document','upload'),
                format='%(subject)s'
               )
db.uploads.document.authorization = lambda record: \
    auth.is_logged_in() and \
    auth.has_permission('read', db.uploads, record.id, auth.user.id)
#--- cut ---

In my default controller I have the crud.read form (which is working
fine):
#--- cut ---
@auth.requires_login()
def read_document():
    """Read form for one document"""
    form = crud.read(db.uploads,request.args(0))
    return dict(form=form)
#--- cut ---
The controller code is working fine and when I click on the file link
for the 'document' field, it is downloading the document from a link
like this:
https://<fqdn>/<app>/default/download/uploads.document.a1ccd7f214fa0aa8.68747470642d70667461626c65725f76305f372e747874.txt

In the controller function download is unchanged from the scaffolding
application:
#--- cut ---
def download():
    """
    allows downloading of uploaded files
    http://..../[app]/default/download/[filename]
    """
    return response.download(request,db)
#--- cut ---

The problem is: when I logout from my application
( auth.is_logged_in() is False ) and put in my browser the link to the
document above (with my browser restarted and all the browser cache
cleared), then I am still able to download the document. This means I
am still authorized to download, so my authorization mechanism is not
working.

Could somebody help me, please - am I wrong with my code or any hints
why the authorization is not working?

Thanks in advance,
TTT

Reply via email to