[Zope-dev] Setuid code not possible w/new Security API

Phillip J. Eby pje@telecommunity.com
Fri, 26 May 2000 16:10:27 -0500


In previous versions of Zope, it was possible to do "setuid" code by
setting AUTHENTICATED_USER to a new user, then resetting when code
completed.  Zope 2.2 loses this ability, as it has absolutely no API for
setting or stacking the "current user", without completely replacing the
ZopeSecurityPolicy.

This is problematic for things like GUF and GUS which want to execute
certain through-the-web objects *as* a particular user.  Not as a mask
between that user and the current user, but *as* that user, because the
object is in the process of finding out what roles the logging-in user has.

Currently, it would seem the only way to do this in bounds of the current
ZopeSecurityPolicy is to poke into getSecurityManager()._context.user,
which seems like a bad idea.  There is already a getUser() method on the
SecurityManager; Should there perhaps be a setUser() (or _setUser()) method
as well?