If I have a page controlled by a function that has access control, do I need to also validate the same at the download stage?
For example (in pseudo-code): function x(): 1. Check to see if Mark Billion is the authorized user or redirect to google.com 2. do something 3. return dict(image.file=image.file) The view has the following "{{=URL('download', args=image.file)}}" My thought is that you cannot access either function x or x.html without being verified as me, and I dont see how you could pass to download() directly, so there is no reason to add another layer of authentication in the download function. Thoughts? -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.