From 561828fa604f4665f0c4e9618d69ba1381309a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonel=20C=C3=A2mara?= Date: Fri, 28 Jul 2017 02:20:54 +0100 Subject: [PATCH] Fix autocomplete called after user_signature chk Fixes #1699 which was caused by the autocomplete widget only being called after a user_signature check and the signature not being there. The default values for user_signature and hash_vars make this work with the grid when it has the user_signature=True option without any problem when that isn't the case. Users can disable it if they want or change it according to what they're verifying in their controllers. The autocomplete widget will still fail with the default kwargs in a situation where it is called in a controller function that first verifies the URL signature with hash_vars=True. For users having that problem, there's no way around this without inserting a security flaw, so they must sadly change their application code to give the autocomplete widget the needed user_signature and hash_vars argument. --- gluon/sqlhtml.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/gluon/sqlhtml.py b/gluon/sqlhtml.py index 0468c0f7..b957ff0d 100644 --- a/gluon/sqlhtml.py +++ b/gluon/sqlhtml.py @@ -658,7 +658,8 @@ class AutocompleteWidget(object): orderby=None, limitby=(0, 10), distinct=False, keyword='_autocomplete_%(tablename)s_%(fieldname)s', min_length=2, help_fields=None, help_string=None, - at_beginning=True, default_var='ac'): + at_beginning=True, default_var='ac', user_signature=True, + hash_vars=False): self.help_fields = help_fields or [] self.help_string = help_string @@ -683,7 +684,8 @@ class AutocompleteWidget(object): if hasattr(request, 'application'): urlvars = request.vars urlvars[default_var] = 1 - self.url = URL(args=request.args, vars=urlvars) + self.url = URL(args=request.args, vars=urlvars, + user_signature=user_signature, hash_vars=hash_vars) self.run_callback = True else: self.url = request