> > Is this correct? I think I can't do this with default settings as there > is something stoping CSRF attacks, right? >
If your get_file function creates a web2py form and calls form.process(), then by default it will add a _formkey token to the form for CSRF protection -- if that key is not present upon submission, the form will not be accepted. To prevent that, you can just do form.process(session=None). You could also forego the web2py form processing and just handle the upload manually (http://web2py.com/books/default/chapter/29/6#Manual-uploads). On the other hand, if you still want the CSRF protection, you could call the get_file function via Ajax from the main page in order to set and get the _formkey token, and then configure nicEdit to post the _formkey value along with the file (if it can do that). Another option might be using a digitally signed URL for get_file ( http://web2py.com/books/default/chapter/29/4#Digitally-signed-urls). Anthony
