Thanks Anthony. It took me a while to get this to work. There were two things in my code that that made calling the LOAD return a "Not Authorized" 1. {{('message' in globals())}} at the top of the calling html file. I had to delete this. 2. LOAD(... ajax=False, user_signature=True) i.e. I have to have ajax=True
After correcting for these, your suggestion worked. On Monday, March 7, 2016 at 1:47:40 PM UTC-8, Anthony wrote: > > You can use a digital signature: > http://web2py.com/books/default/chapter/29/04/the-core#Digitally-signed-urls > > When creating the component, do LOAD(..., user_signature=True). Then > decorate your component actions with @auth.requires_signature(). > > Anthony > > On Monday, March 7, 2016 at 3:58:25 PM UTC-5, Ben Lawrence wrote: >> >> Hi >> >> I just need a little advice here. >> >> There are logged in users on my website that are given permission to >> access a particular html page. The page changes depending on the user >> logged in. The controller decides on whether the user can access that page >> or not. >> >> The html page calls LOADs. How do I properly secure these LOAD calls with >> the same permission as the html parent? (Otherwise people can just put the >> LOAD file address in the browser and see it.) >> >> Now, I am running the same database checks in the LOAD as in the html, so >> there is duplication here. Should I use the http referrer >> request.env.http_referer to check that the caller is correct or is there a >> better way? >> >> Thanks for your time. >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.