I'm glad you like it, and it's interesting, but this way is not secure, since it is susceptible to double submit and CSRF. I would only recommend this way if you are building an internal only website. You should probably have a formkey to protect against it.
On Wednesday, March 20, 2013 6:44:16 PM UTC-7, 黄祥 wrote: > > this cool man, thanks derek > hi alex, > hope this can help for you to follow the web2py slices (much more simple > than the one on the discussion that i've attached before): > > p.s. please focus on the bold > > *pwd* > /web2py/applications/test > > *cat controllers/default.py* > # -*- coding: utf-8 -*- > # this file is released under public domain and you can use without > limitations > > ######################################################################### > ## This is a samples controller > ## - index is the default action of any application > ## - user is required for authentication and authorization > ## - download is for downloading files uploaded in the db (does streaming) > ## - call exposes all registered services (none by default) > ######################################################################### > > > *def index(): * > * return dict(message="hello from houses.py")* > * * > *def display():* > * people = db().select(db.person.ALL)** * > * return dict(people = people)* > * * > *def showHouses():* > * houses = db(db.house.person == request.vars.id).select(db.house.ALL)* > * return dict(houses=houses)* > * * > *def saveAddress():* > * if request.post_vars.address:* > * newhouse = > db.house.insert(address=request.post_vars.address, > person=request.post_vars.owner)* > * houses = db(db.house.person == > request.post_vars.owner).select(db.house.ALL)* > * return dict(houses=houses)* > > > def user(): > """ > exposes: > http://..../[app]/default/user/login > http://..../[app]/default/user/logout > http://..../[app]/default/user/register > http://..../[app]/default/user/profile > http://..../[app]/default/user/retrieve_password > http://..../[app]/default/user/change_password > use @auth.requires_login() > @auth.requires_membership('group name') > @auth.requires_permission('read','table name',record_id) > to decorate functions that need access control > """ > return dict(form=auth()) > > > def download(): > """ > allows downloading of uploaded files > http://..../[app]/default/download/[filename] > """ > return response.download(request, db) > > > def call(): > """ > exposes services. for example: > http://..../[app]/default/call/jsonrpc > decorate with @services.jsonrpc the functions to expose > supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv > """ > return service() > > > @auth.requires_signature() > def data(): > """ > http://..../[app]/default/data/tables > http://..../[app]/default/data/create/[table] > http://..../[app]/default/data/read/[table]/[id] > http://..../[app]/default/data/update/[table]/[id] > http://..../[app]/default/data/delete/[table]/[id] > http://..../[app]/default/data/select/[table] > http://..../[app]/default/data/search/[table] > but URLs must be signed, i.e. linked with > A('table',_href=URL('data/tables',user_signature=True)) > or with the signed load operator > > LOAD('default','data.load',args='tables',ajax=True,user_signature=True) > """ > return dict(form=crud()) > > *cat models/db.py* > # -*- coding: utf-8 -*- > > ######################################################################### > ## This scaffolding model makes your app work on Google App Engine too > ## File is released under public domain and you can use without limitations > ######################################################################### > > ## if SSL/HTTPS is properly configured and you want all HTTP requests to > ## be redirected to HTTPS, uncomment the line below: > # request.requires_https() > > if not request.env.web2py_runtime_gae: > ## if NOT running on Google App Engine use SQLite or other DB > db = DAL('sqlite://storage.sqlite',pool_size=1,check_reserved=['all']) > else: > ## connect to Google BigTable (optional 'google:datastore://namespace') > db = DAL('google:datastore') > ## store sessions and tickets there > session.connect(request, response, db=db) > ## or store session in Memcache, Redis, etc. > ## from gluon.contrib.memdb import MEMDB > ## from google.appengine.api.memcache import Client > ## session.connect(request, response, db = MEMDB(Client())) > > ## by default give a view/generic.extension to all actions from localhost > ## none otherwise. a pattern can be 'controller/function.extension' > response.generic_patterns = ['*'] if request.is_local else [] > ## (optional) optimize handling of static files > # response.optimize_css = 'concat,minify,inline' > # response.optimize_js = 'concat,minify,inline' > > ######################################################################### > ## Here is sample code if you need for > ## - email capabilities > ## - authentication (registration, login, logout, ... ) > ## - authorization (role based authorization) > ## - services (xml, csv, json, xmlrpc, jsonrpc, amf, rss) > ## - old style crud actions > ## (more options discussed in gluon/tools.py) > ######################################################################### > > from gluon.tools import Auth, Crud, Service, PluginManager, prettydate > auth = Auth(db) > crud, service, plugins = Crud(db), Service(), PluginManager() > > ## create all tables needed by auth if not custom tables > auth.define_tables(username=False, signature=False) > > ## configure email > mail = auth.settings.mailer > mail.settings.server = 'logging' or 'smtp.gmail.com:587' > mail.settings.sender = 'y...@gmail.com <javascript:>' > mail.settings.login = 'username:password' > > ## configure auth policy > auth.settings.registration_requires_verification = False > auth.settings.registration_requires_approval = False > auth.settings.reset_password_requires_verification = True > > ## if you need to use OpenID, Facebook, MySpace, Twitter, Linkedin, etc. > ## register with janrain.com, write your domain:api_key in > private/janrain.key > from gluon.contrib.login_methods.rpx_account import use_janrain > use_janrain(auth, filename='private/janrain.key') > > ######################################################################### > ## Define your tables below (or better in another model file) for example > ## > ## >>> db.define_table('mytable',Field('myfield','string')) > ## > ## Fields can be 'string','text','password','integer','double','boolean' > ## 'date','time','datetime','blob','upload', 'reference TABLENAME' > ## There is an implicit 'id integer autoincrement' field > ## Consult manual for more options, validators, etc. > ## > ## More API examples for controllers: > ## > ## >>> db.mytable.insert(myfield='value') > ## >>> rows=db(db.mytable.myfield=='value').select(db.mytable.ALL) > ## >>> for row in rows: print row.id, row.myfield > ######################################################################### > > ## after defining tables, uncomment below to enable auditing > # auth.enable_record_versioning(db) > > > *db.define_table('person', Field('name'),Field('age','integer'))* > *db.define_table('house',Field('address'),Field('person', db.person))* > * > * > *from gluon.contrib.populate import populate* > *if db(db.auth_user).isempty():* > * > * > *# person* > *populate(db.person, 10)* > * > * > *# group* > *auth.add_group('Admin', 'Admin')* > * > * > *# membership* > *auth.add_membership('1', '1')* > * > * > *# user* > *db.auth_user.bulk_insert([{'first_name' : 'Admin', 'last_name' : > 'Admin', * > * 'email' : 'ad...@test.com <javascript:>', * > * 'password' : > db.auth_user.password.validate('password')[0]}])* > > *cat views/default/display.html * > *{{extend 'layout.html'}}* > *<h1>This is the houses/display.html template</h1>* > *{{=BEAUTIFY(response._vars)}}* > *{{ for x in people: }}* > *Show Addresses for: {{=A(x.name, _href=URL('showHouses?id=' + str(x.id > )))}}* > *{{=BR()}}* > *{{ pass }}* > > *cat views/default/saveAddress.html * > *{{=BEAUTIFY(response._vars)}}* > > *cat views/default/showHouses.html * > *{{extend 'layout.html'}}* > *<h1> Showing houses for person #{{=request.vars.id}}</h1>* > * * > *<div id="houseListing"></div>* > *<div id="input"><input type="text" name="address"/><input type="hidden" > name="owner" value="{{=request.vars.id}}" />* > * <button onclick="ajax('saveAddress', ['address', 'owner'], > 'houseListing')"> Web2PY save </button>* > *</div>* > *<script>* > *ajax('saveAddress',['owner'],'houseListing');* > *</script>* > >> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
