Why does it matter? Most likely the user wouldn't know to go to the .load
URL, and even if they did, they will simply view a poorly formatted version
of what they can already see elsewhere. If the action needs to be protected
via authentication, then decorate it with an Auth decorator, as any other
action.
Anyway, this is not part of the public API so not guaranteed to remain
backward compatible, but I suppose you could always do:
if not request.cid:
raise HTTP(404)
But again, if the action needs to be protected via authentication, then use
Auth decorators instead.
Anthony
On Sunday, August 21, 2016 at 3:22:58 AM UTC-4, Kirill Shatalaev wrote:
>
>
> Hello.
>
> In the book we see:
>
> We can access it at the URL
>
> 1
>
> http://127.0.0.1:8000/test/comments/post.load
>
>
> But in production I do not want user to access this directly! It must be
> callable only from template {{=LOAD}}
>
> How must I restrict this, by webserver (apache deny, for example) rules?
>
> Or web2py has a mechanism to do this?
>
> If component loaded via AJAX I can perform check something like:
>
> if not request.ajax:
> raise HTTP(404)
>
> But wat can I do if component is not AJAX-driven?
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
