Peter Bengtsson <peter@fry-it.com> wrote:
Dieter Maurer <dieter@handshake.de> wrote:
Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference.
The security manager could be changed (e.g. with "newSecurityManager"). "getSecurityManager" would report the change but not "AUTHENTICATED_USER".
"newSecurityManager" ?? never heard of that. The __doc__ says """ Set up a new security context for a request for a user """
What is this used for? I'm guessing it's something we use in unittests and stuff.
It's used whenever some code has to act "as if" it was another user. The only use I find in core Zope code is when a temporary container for session objects calls its notify method. It does so as an anonymous user instead of the logged-in one. But third-party code can use it too. CPS does, for instance. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com