[web2py] Re: Possible bug with user_signature?

Mon, 27 Feb 2012 14:58:21 -0800 

I am treating this as a bug. now fixed in trunk.

On Feb 27, 2:07 pm, Anthony <abasta...@gmail.com> wrote:
> In
>
> URL('adviewer', 'savesettings/location', user_signature=True)
>
> the URL() function sees function='savesettings/location' and args=None.
> However, when a request is made to the URL generated by the above, the
> function that verifies the signature sees function='savesettings' and
> args='location'. The problem is, function='savesettings' and
> args='location' does not generate the same signature as
> function='savesettings/location' and args=None. The reason is that when
> generating the signature, the extension is first added to the function
> before concatenating the args, so when the signature is first generated, it
> is a hash of a URL that includes "/savesettings/location.html", but when
> verified, the signature is a hash of a URL that includes
> "/savesettings.html/location". Therefore, the hashes won't match because
> they are created from different strings.
>
> Is there any reason you are using the above rather than:
>
> URL('adviewer', 'savesettings', args='location', user_signature=True)
>
> which is really the correct way to use the URL() function? If you
> explicitly specify "location" as the args argument to URL(), I think it
> should work.
>
> Anthony
>
>
>
>
>
>
>
> On Monday, February 27, 2012 1:22:25 PM UTC-5, Detectedstealth wrote:
>
> > Ok it looks like the bug is related to:
>
> > URL('action/additional_parms', user_signature=True) if you have something
> > in addition to the action @auth.requires_signature fails.
>
> > When using: FORM(_action=URL('adviewer','savesettings/location',
> > user_signature=True)) or redirect(URL('payment/%s' %
> > has_unpaid_orders.access_key, user_signature=True)) with
> > @auth.requires_signature() on the action it fails with access denied.
>
> > On Wed, Feb 22, 2012 at 3:19 PM, Bruce Wade <bruce.w...@gmail.com> wrote:
>
> >> When using user_signature=True in a form that action goes to another
> >> method and that method has @auth.requires_signature I am getting access
> >> denied, if I remove the @auth.requires_signature I still see the signature
> >> but don't have the access denied message.
>
> >> FORM:
> >> # adviewer.viewads();
>
> >> locationform=FORM(
> >>         DIV(
> >>             SELECT(countries_options,_id='by-country',_name='country',
> >> _onchange="updateProvinces(this)", value=selected_country),
> >>             _id='country_options', _class='filter-selects'
> >>         ),
> >>         DIV(
> >>             SELECT(provinces_options,_id='by-province',
> >> _name='province_state',_onchange="updateCities(this)",
> >> value=selected_province),
> >>             _id='province_options', _class='filter-selects'
> >>         ),
> >>         DIV(SELECT(
> >>             cities_options,_id='by-province', _name='city',
> >> value=selected_city),
> >>             _id='city_options', _class='filter-selects'
> >>         ),
> >>         DIV(_class='clear'),
> >>         INPUT(_type='submit', _value='Save', _class='filter-btn'),
> >>         _name='locationform',
> >>         _action=URL('adviewer','savesettings/location',
> >> user_signature=True)
> >>     )
>
> >> Capture Method:
> >> # adviewer.savesettings()
> >> // URL submitted to this method:
> >>http://127.0.0.1:8000/zh/adviewer/savesettings/location?_signature=82...
> >> @auth.requires_login()
> >> @auth.requires_signature()  # If I remove this there is no access denied.
> >> def savesettings():
> >>     print request.vars
> >>     print request.args(0)
> >>     from youadAPI.adviewer_api import AdViewerEngine
> >>     if request.args(0) == 'location':
> >>         adviewer_engine.update_or_create_adviewer_settings(
> >>             AdViewerEngine.location,
> >>             dict(
> >>                  country=request.vars['country'],
> >>                  province=request.vars['province_state'],
> >>                  city=request.vars['city']
> >>             )
> >>         )
> >>     elif request.args(0) == 'language':
> >>         adviewer_engine.update_or_create_adviewer_settings(
> >>             AdViewerEngine.language,
> >>             dict(
> >>                 language = request.vars['language']
> >>             )
> >>         )
> >>     elif request.args(0) == 'keywords':
> >>         adviewer_engine.update_or_create_adviewer_settings(
> >>             AdViewerEngine.keywords,
> >>             dict(
> >>                 keywords = request.vars['keywords']
> >>             )
> >>         )
>
> >> --
> >> --
> >> Regards,
> >> Bruce Wade
> >>http://ca.linkedin.com/in/brucelwade
> >>http://www.wadecybertech.com
> >>http://www.warplydesigned.com
> >>http://www.fitnessfriendsfinder.com
>
> > --
> > --
> > Regards,
> > Bruce Wade
> >http://ca.linkedin.com/in/brucelwade
> >http://www.wadecybertech.com
> >http://www.warplydesigned.com
> >http://www.fitnessfriendsfinder.com

Reply via email to