Sorry I misunderstood about passing other vars. When I talked about changed
state I meant the ajax callback for autocomplete does not change state. Of
course the form changes state but that has nothing to do with the
autocomplete signature.
Anyway, now looking at your code I understand better what you are trying to
do. This will not work. You have to put the code
mywidget = SQLFORM.widgets.autocomplete( request, db.t_member.f_Lookup,
id_field=db.t_member.id, limitby=(0,10), min_length=2, keyword=
"_autocomplete_forall"))
outside the function that requires signature. In the function you can use
it:
...
flds.append( Field( "handlerForAll", 'reference t_member', widget =
mywidget)
On Tuesday, 23 June 2015 11:20:49 UTC-5, Scott Hunter wrote:
>
> I have a page which has a form which includes an autocomplete widget.
> There is a function within a controller to manage that page; this is the
> function that autocomplete widget uses. It is not an "autocomplete
> function", although it is being used ("magically", according to the
> documentation) for the autocomplete functionality. In fact, I do not
> understand (and can find no reference to) an "autocomplete function" in the
> documentation; the function called is the one used to generate the page
> that the autocomplete widget is on.
>
> I *do* pass other vars to this function, and did not say otherwise: when
> called for the autocomplete, the only var is that for the autocomplete, and
> *I* never use that var (but do use others). Nor did I say this page does
> not change state, because in fact it does (this widget is used in a form).
>
> To be more concrete:
>
> #@auth.requires_signature()
> def edit_entry():
> ...
> flds = []
> ...
> flds.append( Field( "handlerForAll", 'reference t_member',
> widget = SQLFORM.widgets.autocomplete( request, db.t_member.f_Lookup,
> id_field=db.t_member.id, limitby=(0,10), min_length=2, keyword=
> "_autocomplete_forall" ) ) )
> ...
> form = SQLFORM.factory( *flds, formstyle="divs", submit_button="Update
> Entry" )
> if form.process(keepvalues=True,onvalidation=checkEntryEdit).accepted:
>
>
>
> On Tuesday, June 23, 2015 at 11:48:24 AM UTC-4, Massimo Di Pierro wrote:
>>
>> I guess the point here is why are you using requires_signature? Normally
>> you do to make sure that only the intended party can access the intended
>> controller function. In your case it is an autocomplete function. That
>> means 1) you do not what the vars is, 2) it is not dangerous since it does
>> not change the state, 3) as you say you do not pass any other vars
>> therefore every user accesses the same set of possible autocomplete values.
>>
>> Then you should not use @auth.requires_signature. You should use
>> @auth.requires_login() instead, simply to prevent DoS attacks.
>>
>> That said you can can do URL(..., user_signature=True, hash_vars = False)
>> along with @auth.requires_signature(hash_vars=False)
>>
>> so you hash the signature but not vars which would be added later by the
>> autocomplete JS.
>> hash_vars can also be a list of variable names to be hashed.
>>
>>
>>
>>
>>
>> On Monday, 22 June 2015 09:25:07 UTC-5, Scott Hunter wrote:
>>>
>>> I don't see how to use this information to solve the problem. Does any
>>> URL that points to this page need to specify what vars go into the
>>> signature, and what vars should be listed? Since the autocomplete only
>>> includes its own special var, and nothing else does, it seems that I'd need
>>> to exclude all vars.
>>>
>>> This doesn't seem like that outlandish a situation; is there
>>> documentation about how to handle it?
>>>
>>> - Scott
>>>
>>> On Monday, June 22, 2015 at 2:48:56 AM UTC-4, Massimo Di Pierro wrote:
>>>>
>>>> Looks at the options of URL and requires_signature. You can specify
>>>> which vars should be included in the signature. You cannot sign the
>>>> autocomplete field because that is generated by JS after web2py has
>>>> already
>>>> computed the signature.
>>>>
>>>> On Friday, 19 June 2015 15:31:58 UTC-5, Scott Hunter wrote:
>>>>>
>>>>> Autocomplete widgets do not appear to work within controller functions
>>>>> that require a digital signature (at least not for me).
>>>>>
>>>>> Is this a bug, a feature, or a mistake on my part?
>>>>>
>>>>> - Scott
>>>>>
>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
