bump ....
On Jan 26, 9:42 pm, Niphlod <niph...@gmail.com> wrote: > Hello, I'm working on integrating uploadify with web2py.... > Unfortunately uploadify doesn't use cookies at all when posting the > files so if I want to "assign" an user to an uploaded file I need to > secure the "receiving" function somehow. > Uploadify can definitely add a parameter on every POST it does on the > receiving page .... I'm not sure how to secure the access to that > page. When uploadify is initalized the user is known in advance, so > specifyng the parameter(s) is not a problem. > > I don't see any method to retrieve current "active" sessions (I did a > quick look into gluon folder) ... but at least it comes to my mind > that I can put the user password as it is stored on the database > (hashed with the random key) as a parameter and then retrieve the user > querying the auth_user table.... > In this way I think the user is uniquely identified (or do I need to > put also the username in the mix?) ... If he/she can upload a file > forging a POST instead of accessing the site is a minor problem .... > if that can be fixed is a plus. > > Does anyone have a better idea ? Is that implementation secure ? > > a snippet is better than a thousand words .... > > def receiver_page(): > session.forget() > #user detection ........ fill the blanks > ... > ... > detected_user = x > #end user detection.... > db.uploaded_files.insert(content=db.uploaded_files.store(stream, > filename), > user_id=detected_user) > > I know a session.forget() and wanting to know which user is accessing > the page is kind of nonsense but nevertheless I'd like to do it :P