For extra security I'm adding user_signature=True to a critical ajax calls,
but it isn't working for me. In my view, I have the following call after
the page is created:
ajax("{{= URL(c='my_controller', f='do_something',
vars=dict(x=session.x, y=session.y), user_signature=True)}}", [], ":eval");
Then in the controller:
def do_something():
if not URL.verify(request):
raise HTTP(403)
...
This always raises HTTP(403) regardless of whether or not I'm logged in.
I've traced through gluon's html.py function. One thing that looks awfully
suspicious is that the "vars" variable is getting evaluated with an extra
item that looks like this:
'amp': ['','','']
Somehow, it's looking at the & separator and parsing it into a variable
instead of a variable separator in a url, such as:
http://my_domain.com/my_controller/do_something?x=1&y=2&_signature=1f1d8d6eb7e2e98712023d8e2f3a38ee3dbe6466
Am I doing something wrong here, or is this a bug?
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
