[Zope-dev] Protected session items?

Chris McDonough chrism at plope.com
Thu Aug 26 18:08:31 EDT 2004 

On Thu, 2004-08-26 at 11:06, Lennart Regebro wrote:
> In TransientObject __guarded_setitem__ is just set to __setitem__.
> This means, that everything you set in the session dictionary is 
> changeable through user code. Is there a good reason for this?

I don't think __guarded_setitem__ is at fault.

> I think it would be nice if I could set secret things in the session, 
> mainly authentication information. If i do this currently, any user code 
> can change it, which isn't exactly safe.
> 
>     REQUEST.SESSION['__ac_username'] = 'root'
> 
> Ooops! :)

REQUEST.SESSION.set('__ac_username', 'root')

Nothing magic about __guarded_setitem__ unfortunately.

For this particular case maybe just don't trust __ac_username in the
session; just put the credentials in the session as __ac and do what
CookieCrumbler does (set REQUEST._auth, and so on) on each request from
trusted code.  Then it becomes exactly as safe as basic auth or cookie
auth wrt risk of identity change.

I agree though that it would be nice to be able to have a kind of
session where the ability to write anything into it could be restricted
by a permission.

> This change:
> 
>      def __guarded_setitem__(self, k, v):
>          if k[0] == '_':
>              raise SomeThingOrAnotherError
>          self.__setitem__(k, v)
> 
> Fixes that. Then you can only set it from protected code.
> Is there some reason why this is NOT a good idea?

Since nobody does attribute access with a session
(SESSION.__ac_username), they always do SESSION['__ac_username'], or
SESSION.get('__ac_username'), it's even more magical than usual in the
Zope sense.  The session was always meant to act almost exactly like a
dictionary and not like a typical persistent SimpleItem-based Zope
object.

I suspect that the problem of providing "authorized" session data access
can be solved using permissions and place instead of baking the
underscore hack in (a separate session data manager and/or transient
object container could be used to provide this kind of session and it
could be put in a separate place).  Too bad I didn't anticipate this in
TransientObject and protect the setting methods with some permission
(they're all public now).  But maybe a subclass or alternate
implementation could do that?

- C

More information about the Zope-Dev mailing list