[albatross-users] popview example from documentation
Andrew McNamara
andrewm at object-craft.com.au
Tue May 13 10:35:02 EST 2003
>Sheila> I don't completely get why it is using an image tag for the
>Sheila> link to the "details" page for viewing individual
>Sheila> messages...but getting past that...
>
>Since the session is purely client side we need the client to send the
>session when a message is selected. The cheap trick used in the
>example is to place each message in the list in a form. When the
>image input is clicked the __albstate__ will be sent as part of the
>browser submission.
>
>This could have been done with some Javascript:
>
> <al-form method="post" name="item">
> <a href="#" onClick="item.submit();">View</a>
> <al-input type="hidden" name="msgnum" expr="m.value().msgnum">
> </al-form>
To elaborate, the user session context (their pop username and password)
are saved in a hidden field in the form. This means that we need to have
the browser submit the form, or we'd lose the session context. A normal
<al-a> tag doesn't submit the form - so we used an <al-input type="image">.
We could have used an <al-input type="submit">, but the image button tends
to look better.
BTW, popview1 places the <al-form> inside an <al-for> - this means the
hidden session fields get repeated for every message in the mailbox (have
a look at the generated source). You probably wouldn't want to do this
in a real application (although for small/simple applications it's okay).
Instead, you might use the "nameexpr" attribute (rather than "name") to
give each button a unique name.
>Sheila> In Mozilla 1.3 it does't work at all. Clicking on the image
>Sheila> link to view the individual messages just returns me to the
>Sheila> list page, repeatedly.
>
>Odd. The only time I have ever seen this is when I fiddled around
>with the application and started using an Application/Execution
>context class that assumed the session was somewhere else.
The trick would be to see what the browser is actually submitting to
albatross. If you look at the Request class in albatross's cgiapp.py,
you'll see it uses Python's cgi.FieldStorage class - you could add some
debug to Request.__init__ to dump the contents of self.__fields to stderr.
>Sheila> Has anyone else encountered this behavior? It concerns me, as
>Sheila> I will soon be working on a project which requires session
>Sheila> management and login authentication, and cross-browser
>Sheila> compatibility is very important. So, I'd like to understand
>Sheila> what is going on here...
Yes - we'd also be interested in what's going on... 8-)
>Make sure that you place important values in underscore prefixed
>variables. The request merging will refuse to place browser supplied
>values prefixed by '_' in ctx.locals.
What Dave is saying here is that ctx.locals contains both the user session
data as well as fields from submitted forms. You'll quickly realise that
a hacker could alter variables other than those you intended by hand
crafting a fake form submission. To counter this, any form field that
starts with an underscore is not merged into ctx.locals, meaning that if
you give any security critical session variables a leading underscore,
they can't be overwritten by the form fields.
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list