On Fri, 2003-10-10 at 06:14, Eric Merritt wrote:
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username as a parameter to your query.
Thanks! I don't know why this didn't occure to me. It does however make good sense. Thanks for the info, I do have one more question though.
Can I add to the user information?
It's not quite as easy to add properties to user objects as it is with other objects. There's no TTW interface, but it can be done programmatically... more importantly, there are other options. For example, you could create a folder for each user that has their username as its id. That folder could then store the userid property. Looking up the id might then be as easy as: context[get_user()].userid Having these folders may allow for some nice Acquisition magic too. Depending on the number of users you have, the easiest thing might be to store a username:userid mapping somewhere and resolve from that, eg: ----- my_map = {'bob':27, 'sally':38. ...} return my_map.get(get_user()) ----- HTH, Dylan