[Zope] AUTHENTICATED_USER insecure. But how insecure?

Christian Theune ct@gocept.com
Wed, 6 Mar 2002 08:23:02 +0100


Hi.

On Mon, Mar 04, 2002 at 06:18:17PM +0200, Heimo Laukkanen wrote:
> "SecurityGetUser = Return the current user object. This is normally the 
> same as the REQUEST.AUTHENTICATED_USER  object. However, the 
> AUTHENTICATED_USER object is insecure since it can be replaced"
> 
> This is something that has been confusing me, since it is never 
> explained. How much I should worry about that REQUEST.AUTHENTICATED_USER 
> is changed - and is there much performance downside or something else 
> for using the SecurityGetUser -- which goes all the way back to the 
> Security Manager to get the user.

You should worry, if you run code that you don't know what it does 
(as DTML Methods from some user on your server e.g.), but it also
is better readable (as I think) to use SecurityGetUser.

> 
> -huima
> 

Greetings

Christian

-- 
Christian Theune - ct@gocept.com
gocept gmbh & co.kg - schalaunische strasse 6 - 06366 koethen/anhalt
tel.+49 3496 3099112 - fax.+49 3496 3099118 mob. - 0178 48 33 981

reduce(lambda x,y:x+y,[chr(ord(x)^42) for x in 'zS^BED\nX_FOY\x0b'])