No this is not what signed urls are for. Signed urls are for delegating access control from one controller action to another. Consider this code:
@auth.requires_membership('admin'): def index() link = URL('other') return dict(link=link) @auth.requires_membership('admin'): def other(): return dict(message='hello world') Both actions requires the same membership (group "admin"). So if a user that follows the link, the membership is checked twice. For more complex rules this can be time consuming. Signed url simplify the process: @auth.requires_membership('admin'): def index() link = URL('other',user_signature=True) #1 return dict(link=link) @auth.requires_signature() #2 def other(): return dict(message='hello world') This mean the index() action degenerates a one time link that only works for this one user within this one session. Only this user within this one session can access the "other" action by following the link. the link will be different for another user. If the user logs out or somebody steals it, the link does not use it. This is the same as: What you need is different. What you need depends on how the files got in that folder. If they were uploaded using db.define_table(...Field('file','upload')...) then you simply need to set db.define_table(...Field('file','upload',authorize=lambda row: auth.has_permission('download','file'))...) if these are stati files that you create server side then you need your own controller: @auth.has_permission('download','file')) def getfile(): return response.stream(open(os.path.join('/location/',request.args(0))) This assumes your users are members of a group (for example 'downloaders') and this group has permission to 'download', 'file'. You can create the group and the permission entry using appadmin. Massimo On Friday, 27 July 2012 10:00:23 UTC-5, lyn2py wrote: > > I want to create a protected folder containing file uploads, which can > only be accessed selectively (different set of files for different users, > depending on their permissions). > > They should not be able to access it even if they have the direct link. > > Can I (or should I) do this using digitally signed urls? > Or is there a better way about it? > > > --