> > The controller above exposes multiple actions: > http://.../[app]/default/user/register > http://.../[app]/default/user/login > http://.../[app]/default/user/logout > http://.../[app]/default/user/profile > http://.../[app]/default/user/change_password > http://.../[app]/default/user/verify_email > http://.../[app]/default/user/retrieve_username > http://.../[app]/default/user/request_reset > http://.../[app]/default/user/reset_password > http://.../[app]/default/user/impersonate > http://.../[app]/default/user/groups > http://.../[app]/default/user/not_authorized_password > > This is all really useful. But, in the text there is no mention of > "the controller above." Which controller is it? Indeed, the > scaffolding app only appears to contain a very simple user() function > in default.py. >
The "controller above" is indeed the "simple user() function" in default.py: def user(): return dict(form=auth()) That controller does in fact expose all the functions listed above. Note, in all those URLs, "user" is the function, and the part of the URL after "user/" is an arg (i.e., request.args(0)). The function returns form=auth(). When auth() is called, it automatically extracts request.args(0) to figure out which of the auth functions has been requested and proceeds accordingly. > from gluon.tools import * > auth = Auth(jodb) > auth.define_tables() > > So, I don't have the hmac key. How bad is this? Let me guess: the > passwords in the auth database are not being encrypted because there > is no encryption key. When I go look at the raw table, the password > has certainly been hashed. What key or salt is used when I have > specified (mis-specified, as the case may be) auth as I have? > If you don't specify an hmac key, I believe the CRYPT validator defaults to using gluon.utils.simple_hash (http://code.google.com/p/web2py/source/browse/gluon/utils.py#26), which is a simple md5 hash -- no key involved. Anthony
