[Zope-dev] Protected session items?
Tino Wildenhain
tino at wildenhain.de
Fri Aug 27 05:41:52 EDT 2004
Hi,
Am Fr, den 27.08.2004 schrieb Lennart Regebro um 11:32:
> Lennart Regebro wrote:
> > Another idea: Maybe I could make an object that does not have public
> > access, and store that in the session?
>
> That seems to work!
>
> Here is the class:
>
> class ProtectedUsername:
> """An object where the username is not accessible from user code."""
> def _setUsername(self, username):
> self.__username = username
>
> def _getUsername(self):
> return self.__username
>
> Very simple indeed.
>
> It is impossible to define up a class that has methods that start with
> underscore from user code. and even other usercode classes seem not to
> be pickable (is that correct?) so even though you can replace the value
> of SESSION['__ac'] you can't replace it with any usercode object, and
> definitely not with anything that has a _getUsername() method.
> And, as additional security, when I use I check that it really is a
> ProtectedUsername object:
>
> if ob is not None and isinstance(ob, ProtectedUsername):
> username = ob._getUsername()
>
> This *should* mean, that as long as you don't allow usercode to import a
> ProtectedUsername object, it should be safe. In fact, you can't even
> figure out what the username is. ;)
>
Even a traceback will not show this username anymore if its inside
an object without __repr__ :-)
Regards
Tino
More information about the Zope-Dev
mailing list