[Zope] forms: copying objects from request to request
Joachim Werner
joe@iuveno-net.de
Mon, 28 Jan 2002 20:09:15 +0100
Hi!
> you must use a hidden form in DocumentB to transport your variable x from
DocumentA to DocumentC.
The more elegant solution is using sessions for that. Like SmartWizards do
for example.
You'd just store the REQUEST variables you'll need with (in DTML)
<dtml-call "SESSION.set('x', REQUEST.['x']">.
Hidden forms work fine, but they are a hack. In some cases they even are a
security risk: Anybody can open your HTML file with a text editor,
manipulate the hidden form values and post the form.
I saw this once with a form that changed a user's password. It held the user
roles in a hidden form field. So the user could have just sent the form with
"Manager" added to the hidden form field to get full system access ...
Joachim