getSecurityManager() vs. AUTHENTICATED_USER
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference. I fear I've come a across a situation when getSecurityManager() returns nothing where AUTHENTICATED_USER did. I'm currently trying to reproduce the situation but it might involve odd URL usage and it's a bore to have to restart the browser every time. Just hoping someone could give me a quick answer because I don't understand much simply by reading the source. from AccessControl import getSecurityManager class MyProduct(...): def Who(self): #return self.REQUEST.AUTHENTICATED_USER.getUserName() return getSecurityManager().getUser().getUserName() -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com
--On 8. Juli 2005 13:24:20 +0100 Peter Bengtsson <peterbe@gmail.com> wrote:
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference. I fear I've come a across a situation when getSecurityManager() returns nothing.
I've never seen that. -aj
Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference.
The security manager could be changed (e.g. with "newSecurityManager"). "getSecurityManager" would report the change but not "AUTHENTICATED_USER". -- Dieter
On 7/8/05, Dieter Maurer <dieter@handshake.de> wrote:
Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference.
The security manager could be changed (e.g. with "newSecurityManager"). "getSecurityManager" would report the change but not "AUTHENTICATED_USER".
"newSecurityManager" ?? never heard of that. The __doc__ says """ Set up a new security context for a request for a user """ What is this used for? I'm guessing it's something we use in unittests and stuff. -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com
Peter Bengtsson <peter@fry-it.com> wrote:
Dieter Maurer <dieter@handshake.de> wrote:
Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
I've learnt that it's better to use getSecurityManager instead of REQUEST.AUTHENTICATED_USER because it's more secure. Other than that, what is the difference.
The security manager could be changed (e.g. with "newSecurityManager"). "getSecurityManager" would report the change but not "AUTHENTICATED_USER".
"newSecurityManager" ?? never heard of that. The __doc__ says """ Set up a new security context for a request for a user """
What is this used for? I'm guessing it's something we use in unittests and stuff.
It's used whenever some code has to act "as if" it was another user. The only use I find in core Zope code is when a temporary container for session objects calls its notify method. It does so as an anonymous user instead of the logged-in one. But third-party code can use it too. CPS does, for instance. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com
participants (4)
-
Andreas Jung -
Dieter Maurer -
Florent Guillaume -
Peter Bengtsson