SQLFORM.grid and user_signature - unexpected behavior
Tom Clerckx
I was running into some issue with SQLFORM.grid and after going through the code, I realized that the grid does not include request.vars when calculating the URL signature (ref: v2.21.1, gluon/sqlhtml.py @ 2440).
Please correct me if I would be wrong,... else it may be useful to add
something about this behavior in the web2py documentation:
SQLFORM.grid validates the signature without taking into account request.vars
As such, any constructed URL that contains a user_signature and that is pointing to the page that uses the controller function which creates this grid, should have this signature created without including request.vars!
Thus, hash_vars should be set to False in that case. If not, you may get a ‘not authorized’ flash message and you will be redirected.
E.g. a signed URL pointing to such page should look like:
URL(‘mypage_with_grid’, args=[‘a’, ‘b’, ‘c’], vars={‘var1’:’val1’}, user_signature=True, hash_vars=False)