[web2py] passing navigational links in the header and ajax woes

Thu, 19 Jan 2012 20:53:45 -0800 

Currently, in my application, I am passing navigational links in the
header, such as /app/controller/view/1/2/3

Where 1/2/3 are things the controller and view use to set the correct
page.

In my application, I am finding two problems with this.  First is
security.  Although I have written validation on my controllers (I
hope), I just worry that with more users some malicious person will
find a way to get access they shouldn't.

Second and more urgent is my application broke when I tried to write
my first ajax function, I assume because the navigational variables
are competing with the ajax variables somehow.  I say this because
when I make the controller empty and just return a dict everything
works as normal.  However, when I have the controller look for
variables in request.vars and I then try to call an ajax function, it
breaks hideously.

I don't claim to be a great programmer, so it could definitely be a
convention I am not following.

Has anyone had this problem before?  How did you solve it? Should I
pass my request.vars into the session and then have the view call
them?

 I read in the book that I can do ajax trapping and I haven't tried
that yet, but I didn't think it would be necessary since I could make
it work without it.  I will try it, but regardless I would love to get
some feedback.

for clarity, my code causing problems is below:

def my_func():
    if request.args:
        #First, I check to see if there is a record, if there is, I
get some information.
        check=db(db.mydb.id==request.args(0)).select().first()
        if check !=None:
            records=db(db.mydb.id==request.args(0)).select()
            row = db(db.mydb.id==request.args(0)).select().first()
            counter=len(records)
        #if it isnt, I make it with a function
        else:
            row = db(db.mydb.id==request.args(0)).select().first()
            my_id=row.id
            (filename, stream) =
db.mydb.myfield.retrieve(row.resourcefield)
            myfunc(id,filename,stream)
            records=db(db.mydb.id==request.args(0)).select()
            counter=len(records)
        pass
    #if there is no specific document request, generate a list of
available files
    else:
        redirect(URL('mycontroller','this_function'))
    return(counter=counter, records=records, row=row)

def myajaxfunc():
    form=SQLFORM(db.mydb2, _action="myajaxfunc")
    if form.errors:
        session.flash="Error: " + str(form.errors)
    return XML(form)

my view:

{{for i in range(1,5):}}
    <div id="my_div" onclick="ajax('myajaxfunc',[''],
'mytarget_{{=str(i)}}')">Click me to add a note</div>
    <div id="mytarget_{{=str(i)}}"></div>
{{pass}}

Reply via email to