Why is everybody so obsessed with AUTHENTICATED_USER? This variable is not suitable for anything deserving the name "security". It is NOT SAFE to assume that it will contain anything useful. This is even documented in the online help: SecurityGetUser() -- Return the current user object. This is normally the same as the 'REQUEST.AUTHENTICATED_USER' object. However, the 'AUTHENTICATED_USER' object is insecure since it can be replaced. To get the logged-in user call: SecurityGetUser() or getSecurityManager().getUser() or portal_membership.getAuthenticatedMember() and please forget about AUTHENTICATED_USER and the REQUEST as a source of trustable information in general. Stefan --On Donnerstag, 23. Oktober 2003 19:52 -0400 Brad Clements <bkc@murkworks.com> wrote:
I looked at newSecurityManager and it doesn't seem to set request.AUTHENTICATED_USERS, so I do that too.
-- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/