For extra security I'm adding user_signature=True to a critical ajax calls, 
but it isn't working for me. In my view, I have the following call after 
the page is created:

    ajax("{{= URL(c='my_controller', f='do_something', 
vars=dict(x=session.x, y=session.y), user_signature=True)}}", [], ":eval");



Then in the controller:

def do_something():
    if not URL.verify(request):
        raise HTTP(403)
...

This always raises HTTP(403) regardless of whether or not I'm logged in. 

I've traced through gluon's html.py function. One thing that looks awfully 
suspicious is that the "vars"  variable is getting evaluated with an extra 
item that looks like this:

'amp': ['','','']

Somehow, it's looking at the & separator and parsing it into a variable 
instead of a variable separator in a url, such as:
http://my_domain.com/my_controller/do_something?x=1&y=2&_signature=1f1d8d6eb7e2e98712023d8e2f3a38ee3dbe6466

Am I doing something wrong here, or is this a bug?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to