[Zope-dev] Protected session items?
Lennart Regebro
regebro at nuxeo.com
Thu Aug 26 11:06:42 EDT 2004
In TransientObject __guarded_setitem__ is just set to __setitem__.
This means, that everything you set in the session dictionary is
changeable through user code. Is there a good reason for this?
I think it would be nice if I could set secret things in the session,
mainly authentication information. If i do this currently, any user code
can change it, which isn't exactly safe.
REQUEST.SESSION['__ac_username'] = 'root'
Ooops! :)
This change:
def __guarded_setitem__(self, k, v):
if k[0] == '_':
raise SomeThingOrAnotherError
self.__setitem__(k, v)
Fixes that. Then you can only set it from protected code.
Is there some reason why this is NOT a good idea?
//Lennart
More information about the Zope-Dev
mailing list