Hello
I am trying, without success, to create a secured page.
So, I have a form Form_website where I offer the possibility to login using a button.
When you click that button you get to Form_main where:
class Form_main(Form_mainTemplate):
def __init__(self, **properties):
# Set Form properties and Data Bindings.
self.init_components(**properties)
self.content_panel.add_component(Form_main_central())
# Any code you write here will run when the form opens.
anvil.users.login_with_form(allow_cancel=True)
loged = anvil.users.get_user()
self.link_user.text = loged
if not loged:
open_form('Form_website')
so I am expecting the login form to show up, it does
then if you cancel or get the password wrong then you go back to the main page.
This is my idea of securing the Form_main.
Also
This is a classic - you are opening another form before the current form has loaded, instead move it to the form show event:
class Form_main(Form_mainTemplate):
def __init__(self, **properties):
# Set Form properties and Data Bindings.
self.init_components(**properties)
self.content_panel.add_component(Form_main_central())
# Any code you write here will run when the form opens.
def form_show(self, **event_args):
anvil.users.login_with_form(allow_cancel=True)
loged = anvil.users.get_user()
self.link_user.text = loged
if not loged:
open_form('Form_website') #I can't be in an init method
A better approach would be to create a startup module, see this post for a typical approach to checking a user on startup and determining which form to load:
Hi, thank you for your answer, but:
first I tried your changes on form_show, but seems is never fired, so no login pop up shows.
Then I tried the startup module, which works but is not solving my problem.
I am trying to solve a very simple use case: have a Form explaining the product, from there people can create an account/login. So I have an “Open form” which I call Form_website and the rest of the Forms that are part of the product and should be secured.
The startup module redirects people, correct, but it is not securing the private area. I mean, could somebody with a link access to a private area?
Also is not really nice, you are not welcomed with a login pop up window when you go to gmail.com, you get to a product page.
Make sure you have added the form show event in the design view.
For something like this I always raise an exception in server calls if there is no logged-in user so that they can’t access data.
def ensure_user():
user = anvil.users.get_user()
if user is None:
raise anvil.users.AuthenticationFailed('No logged in user')
return user
@anvil.server.callable
def get_data():
user = ensure_user()
return data
Remember if you have anything on the client side then someone could access it if they really wanted to…
well, what I am doing on every data call is to filter by user, basically this: user = anvil.users.get_user()
so if they are not logged in they will see nothing.
I think that is safe enough?
Like @stucork, I personally throw an error if the user is not logged in and a non-registered user shouldn’t be using the app. This activity will also show up in the app logs which may be important to you. The important thing is that you are not returning data to the client that you want to keep private.
