URL('rsvp_action',user_signature=True)
+
@auth.requires_signature()
def rsvp_action(): ....
On Saturday, 28 July 2012 08:50:30 UTC-5, Alec Taylor wrote:
>
> So I've got a simple link dropdown on each of my group-event pages, like
> so:
>
>
> <https://lh5.googleusercontent.com/-dgm_TWTUcOw/UBPs4ll7nKI/AAAAAAAAAB0/t8wlgPYE5qY/s1600/attend.PNG>
> I have a table called `rsvp_list` with reference fields: `event_id` and
> `user_id`, and an `rsvp` field requiring `IS_IN_SET(["Yes", "Maybe",
> "No"])`.
>
> One way I can make the above work is by appending the value for
> `event_id`, `user_id` and `rsvp` automatically, through global function
> calls or a specialised controller utilising `request.args`.
>
> Unfortunately this means that anyone who has figure out my URL schema can
> simply enter the ID of someone else into the URL, forging an RSVP.
>
> What's a better way of doing this?
>
> Thanks for all suggestions,
>
> Alec Taylor
>
--
