No this is not what signed urls are for. Signed urls are for delegating
access control from one controller action to another. Consider this code:
@auth.requires_membership('admin'):
def index()
link = URL('other')
return dict(link=link)
@auth.requires_membership('admin'):
def other():
return dict(message='hello world')
Both actions requires the same membership (group "admin"). So if a user
that follows the link, the membership is checked twice. For more complex
rules this can be time consuming. Signed url simplify the process:
@auth.requires_membership('admin'):
def index()
link = URL('other',user_signature=True) #1
return dict(link=link)
@auth.requires_signature() #2
def other():
return dict(message='hello world')
This mean the index() action degenerates a one time link that only works
for this one user within this one session. Only this user within this one
session can access the "other" action by following the link. the link will
be different for another user. If the user logs out or somebody steals it,
the link does not use it. This is the same as:
What you need is different. What you need depends on how the files got in
that folder. If they were uploaded using
db.define_table(...Field('file','upload')...)
then you simply need to set
db.define_table(...Field('file','upload',authorize=lambda row:
auth.has_permission('download','file'))...)
if these are stati files that you create server side then you need your own
controller:
@auth.has_permission('download','file'))
def getfile():
return response.stream(open(os.path.join('/location/',request.args(0)))
This assumes your users are members of a group (for example 'downloaders')
and this group has permission to 'download', 'file'. You can create the
group and the permission entry using appadmin.
Massimo
On Friday, 27 July 2012 10:00:23 UTC-5, lyn2py wrote:
>
> I want to create a protected folder containing file uploads, which can
> only be accessed selectively (different set of files for different users,
> depending on their permissions).
>
> They should not be able to access it even if they have the direct link.
>
> Can I (or should I) do this using digitally signed urls?
> Or is there a better way about it?
>
>
>
--
