AUTHENTICATED_USER is not reliable! [Was: [Zope] become user (su inside Zope) - pretend to be another user]

Stefan H. Holek stefan at
Fri Oct 24 04:35:58 EDT 2003

Why is everybody so obsessed with AUTHENTICATED_USER? This variable is not 
suitable for anything deserving the name "security". It is NOT SAFE to 
assume that it will contain anything useful.

This is even documented in the online help:

    SecurityGetUser() -- Return the current user object. This is
    normally the same as the 'REQUEST.AUTHENTICATED_USER'
    object. However, the 'AUTHENTICATED_USER' object is insecure since
    it can be replaced.

To get the logged-in user call:

SecurityGetUser() or
getSecurityManager().getUser() or

and please forget about AUTHENTICATED_USER and the REQUEST as a source of 
trustable information in general.


--On Donnerstag, 23. Oktober 2003 19:52 -0400 Brad Clements 
<bkc at> wrote:

> I looked at newSecurityManager and it doesn't seem to set
> request.AUTHENTICATED_USERS, so I do that too.

The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is.               /Pete McBreen/

More information about the Zope mailing list