26 Aug
2004
26 Aug
'04
3:06 p.m.
In TransientObject __guarded_setitem__ is just set to __setitem__. This means, that everything you set in the session dictionary is changeable through user code. Is there a good reason for this? I think it would be nice if I could set secret things in the session, mainly authentication information. If i do this currently, any user code can change it, which isn't exactly safe. REQUEST.SESSION['__ac_username'] = 'root' Ooops! :) This change: def __guarded_setitem__(self, k, v): if k[0] == '_': raise SomeThingOrAnotherError self.__setitem__(k, v) Fixes that. Then you can only set it from protected code. Is there some reason why this is NOT a good idea? //Lennart