Hi All,
Not sure if this is the right thread to put this up --
I was trying to use this code for rest/json -- however -- with slight
changes and wrong parameters in the URL my entire table got exposed -- Here
is the code --
*CONTROLLER : DEFAULT.PY CODE*
## API ---
@request.restful()
def api():
response.view = 'generic.'+request.extension
def GET(*args,**vars):
patterns = 'auto'
parser = db.parse_as_rest(patterns,args,vars)
if parser.status == 200:
return dict(content=parser.response)
else:
raise HTTP(parser.status,parser.error)
def POST(table_name,**vars):
return db[table_name].validate_and_insert(**vars)
def PUT(table_name,record_id,**vars):
return db(db[table_name]._id==record_id).update(**vars)
def DELETE(table_name,record_id):
return db(db[table_name]._id==record_id).delete()
return dict(GET=GET, POST=POST, PUT=PUT, DELETE=DELETE)
When some adds the url like this in the browser --
http://127.0.0.1:8000/artpic/default/api/mblog?id=%221%22&id=%222%22
( http://127.0.0.1:8000/artpic/default/api/mblog?id="1"&id="2"; ) it poses
a huge risk as all the data in the table is exposed. All tables are exposed
and even username and password from my tables get exposed and easily
accessible
This works properly -- but above url exposes a huge security risk --
http://127.0.0.1:8000/artpic/default/api/mblog/id/37.json
Am I doing this properly ?? Is there something I am missing -- The above
code in controller is the only code I am using -- Please see the image
attached -- It looks like a huge security risk.
Regards,
*Rahul*
On Friday, June 22, 2012 at 7:55:19 PM UTC+5:30 Massimo Di Pierro wrote:
> wow. done that.
>
> On Thursday, 21 June 2012 18:04:04 UTC-5, Anthony wrote:
>>
>> Using my new Google Groups super powers
>> <https://groups.google.com/d/msg/web2py/trtS-S-4exs/aTLXn1yESboJ>, I
>> have edited your original post, so if you'd like, you can delete this
>> correction and we can pretend this never happened. ;-)
>>
>> Anthony
>>
>> On Thursday, June 21, 2012 6:40:37 PM UTC-4, Massimo Di Pierro wrote:
>>>
>>> Silly me. This
>>>
>>> def PUT(table_name,record_id):
>>>
>>> return db(db[table_name]._id==record_id).delete()
>>>
>>>
>>> was supposed to be
>>>
>>>
>>> def DELETE(table_name,record_id):
>>>
>>> return db(db[table_name]._id==record_id).delete()
>>>
>>>
>>> On Thursday, 21 June 2012 13:38:01 UTC-5, Derek wrote:
>>>>
>>>> Looks like you have Get, Post, and PUT and PUT. Where's Delete?
>>>>
>>>> On Wednesday, June 20, 2012 4:39:33 PM UTC-7, Massimo Di Pierro wrote:
>>>>>
>>>>> You can do
>>>>>
>>>>> @request.restful()
>>>>> def api():
>>>>> response.view = 'generic.'+request.extension
>>>>> def GET(*args,**vars):
>>>>> patterns = 'auto'
>>>>> parser = db.parse_as_rest(patterns,args,vars)
>>>>> if parser.status == 200:
>>>>> return dict(content=parser.response)
>>>>> else:
>>>>> raise HTTP(parser.status,parser.error)
>>>>> def POST(table_name,**vars):
>>>>> return db[table_name].validate_and_insert(**vars)
>>>>>
>>>>> def PUT(table_name,record_id,**vars):
>>>>>
>>>>> return db(db[table_name]._id==record_id).update(**vars)
>>>>>
>>>>> def PUT(table_name,record_id):
>>>>>
>>>>> return db(db[table_name]._id==record_id).delete()
>>>>>
>>>>> return locals()
>>>>>
>>>>>
>>>>> On Wednesday, 20 June 2012 11:30:26 UTC-5, Osama Hussain wrote:
>>>>>>
>>>>>> Using the following code web2py generated all possible patterns for
>>>>>> all my tables for GET and POST methods:
>>>>>>
>>>>>> @request.restful()
>>>>>> def api():
>>>>>> response.view = 'generic.'+request.extension
>>>>>> def GET(*args,**vars):
>>>>>> patterns = 'auto'
>>>>>> parser = db.parse_as_rest(patterns,args,vars)
>>>>>> if parser.status == 200:
>>>>>> return dict(content=parser.response)
>>>>>> else:
>>>>>> raise HTTP(parser.status,parser.error)
>>>>>> def POST(table_name,**vars):
>>>>>> return db[table_name].validate_and_insert(**vars)
>>>>>> return locals()
>>>>>>
>>>>>>
>>>>>> Is it possible to have patterns generated for PUT and DELETE methods?
>>>>>>
>>>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/eb1325a1-ee80-4054-a9f4-9a13e4b5ba8bn%40googlegroups.com.
