AUTHENTICATED_USER is not reliable! [Was: [Zope] become user (su inside Zope) - pretend to be another user]

Andy McKay andy at
Fri Oct 24 16:34:21 EDT 2003

Stefan H. Holek wrote:
> Why is everybody so obsessed with AUTHENTICATED_USER? This variable is 
> not suitable for anything deserving the name "security". It is NOT SAFE 
> to assume that it will contain anything useful.

Good job core products like RAM Cache Manager use AUTHENTICATED_USER by 
default then ;)
   Andy McKay
   ClearWind Consulting

More information about the Zope mailing list