I'm trying to secure file downloads. I use user_signature=True for an
action that generates an edit form that includes an upload field. The
upload widget generates a download link but the link appends the file name
arg after the signature var.
I'm using:
crud.settings.download_url = URL('dcoument', 'download',
args=document.customer, user_signature=True)
I'm then using:
form = crud.update(...)
This creates a download link like
/document/download/51?_signature=<signature>/<filename>
instead of
/document/download/51/<filename>?_signature=<signature>
On a related topic, I'm using that extra arg above to create separate
folders for each customer (useful for multi tenant) but this breaks
appadmin uploads and download links. It would be great to use a lambda for
the upload folder, something like ...
db.define_table('document',
Field('customer', 'reference customer'),
Field('document', 'upload', autodelete=True,
uploadfolder=lambda r: (request.folder + 'document/download/' +
row.customer)),
)
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
