AUTHENTICATED_USER is not reliable! [Was: [Zope] become user (su
inside Zope) - pretend to be another user]
Stefan H. Holek
stefan at epy.co.at
Fri Oct 24 04:35:58 EDT 2003
Why is everybody so obsessed with AUTHENTICATED_USER? This variable is not
suitable for anything deserving the name "security". It is NOT SAFE to
assume that it will contain anything useful.
This is even documented in the online help:
SecurityGetUser() -- Return the current user object. This is
normally the same as the 'REQUEST.AUTHENTICATED_USER'
object. However, the 'AUTHENTICATED_USER' object is insecure since
it can be replaced.
To get the logged-in user call:
and please forget about AUTHENTICATED_USER and the REQUEST as a source of
trustable information in general.
--On Donnerstag, 23. Oktober 2003 19:52 -0400 Brad Clements
<bkc at murkworks.com> wrote:
> I looked at newSecurityManager and it doesn't seem to set
> request.AUTHENTICATED_USERS, so I do that too.
The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is. /Pete McBreen/
More information about the Zope