Skip to first unread message
Kirill Shatalaev
Aug 21, 2016, 3:22:58 AM8/21/16
to web2py-users
Hello.
In the book we see:
We can access it at the URL
1 | http://127.0.0.1:8000/test/comments/post.load |
But in production I do not want user to access this directly! It must be callable only from template {{=LOAD}}
How must I restrict this, by webserver (apache deny, for example) rules?
Or web2py has a mechanism to do this?
If component loaded via AJAX I can perform check something like:
if not request.ajax:
raise HTTP(404)
But wat can I do if component is not AJAX-driven?
Anthony
Aug 21, 2016, 9:58:33 AM8/21/16
to web2py-users
Why does it matter? Most likely the user wouldn't know to go to the .load URL, and even if they did, they will simply view a poorly formatted version of what they can already see elsewhere. If the action needs to be protected via authentication, then decorate it with an Auth decorator, as any other action.
Anyway, this is not part of the public API so not guaranteed to remain backward compatible, but I suppose you could always do:
But again, if the action needs to be protected via authentication, then use Auth decorators instead.
Anthony
Anyway, this is not part of the public API so not guaranteed to remain backward compatible, but I suppose you could always do:
if not request.cid:
raise HTTP(404)But again, if the action needs to be protected via authentication, then use Auth decorators instead.
Anthony
Reply all
Reply to author
Forward
0 new messages