Thank you Massimo, very clear. I will try the code now! On Friday, July 27, 2012 11:55:24 PM UTC+8, Massimo Di Pierro wrote: > > No this is not what signed urls are for. Signed urls are for delegating > access control from one controller action to another. Consider this code: > > @auth.requires_membership('admin'): > def index() > link = URL('other') > return dict(link=link) > > @auth.requires_membership('admin'): > def other(): > return dict(message='hello world') > > Both actions requires the same membership (group "admin"). So if a user > that follows the link, the membership is checked twice. For more complex > rules this can be time consuming. Signed url simplify the process: > > @auth.requires_membership('admin'): > def index() > link = URL('other',user_signature=True) #1 > return dict(link=link) > > @auth.requires_signature() #2 > def other(): > return dict(message='hello world') > > This mean the index() action degenerates a one time link that only works > for this one user within this one session. Only this user within this one > session can access the "other" action by following the link. the link will > be different for another user. If the user logs out or somebody steals it, > the link does not use it. This is the same as: > > What you need is different. What you need depends on how the files got in > that folder. If they were uploaded using > > db.define_table(...Field('file','upload')...) > > then you simply need to set > > db.define_table(...Field('file','upload',authorize=lambda row: > auth.has_permission('download','file'))...) > > if these are stati files that you create server side then you need your > own controller: > > @auth.has_permission('download','file')) > def getfile(): > return > response.stream(open(os.path.join('/location/',request.args(0))) > > This assumes your users are members of a group (for example 'downloaders') > and this group has permission to 'download', 'file'. You can create the > group and the permission entry using appadmin. > > Massimo > > On Friday, 27 July 2012 10:00:23 UTC-5, lyn2py wrote: >> >> I want to create a protected folder containing file uploads, which can >> only be accessed selectively (different set of files for different users, >> depending on their permissions). >> >> They should not be able to access it even if they have the direct link. >> >> Can I (or should I) do this using digitally signed urls? >> Or is there a better way about it? >> >> >>
--