For extra security I'm adding user_signature=True to a critical ajax calls, but it isn't working for me. In my view, I have the following call after the page is created:
ajax("{{= URL(c='my_controller', f='do_something', vars=dict(x=session.x, y=session.y), user_signature=True)}}", [], ":eval"); Then in the controller: def do_something(): if not URL.verify(request): raise HTTP(403) ... This always raises HTTP(403) regardless of whether or not I'm logged in. I've traced through gluon's html.py function. One thing that looks awfully suspicious is that the "vars" variable is getting evaluated with an extra item that looks like this: 'amp': ['','',''] Somehow, it's looking at the & separator and parsing it into a variable instead of a variable separator in a url, such as: http://my_domain.com/my_controller/do_something?x=1&y=2&_signature=1f1d8d6eb7e2e98712023d8e2f3a38ee3dbe6466 Am I doing something wrong here, or is this a bug? -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.