[Zope] Session
Chris McDonough
chrism at zopemafia.com
Tue Sep 2 04:39:43 EDT 2003
I still don't know the methods you want to call, but I'll venture a
guess as to how you want to do this.
Some of desire for this functionality has already been predicted. There
is a method on the session data manager named getSessionDataByKey, which
returns a session data object for a particular browser id. It is
protected by the "Access arbitrary user session data" permission, which
by default is granted to a Manager. Once he's gotten the object, any
user can do whatever he wants with it (it is not protected by any
permission in any way).
So the trick is getting the list of active sessions (really just their
their browser ids) and allowing users to call getSessionDataByKey.
Unfortunately, there is no way get the list of current sessions without
writing an external method or Product at the moment. You could:add a
security declaration to the "keys" method of the transient object
container which would then allow you to do this in TTW code. However,
that method is not part of the public API and is subject to change
without notice (although it's unlikely to go away).
I would probably accept a patch that made what you're doing possible as
long as it didn't negatively impact sessioning security.
HTH!
- C
On Mon, 2003-09-01 at 23:25, Dennis Allison wrote:
> No problem. I want to write a monitoring program to maintain running
> sumamries of users. We store a lot of information as session variables
> and so I'll want to look at the stored session variable for all active
> sessions. This does not appear to be possible without doing a Product
> or using an External Method--I've already built a bit of a framework for
> what I need using external methods.
>
> -d
>
> On 1 Sep 2003, Chris McDonough wrote:
>
> > You'll need to be a little more specific when you say "able to look at
> > the session data objects". What methods do you want to call on the
> > session data container?
> >
> > On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
> > > I have a collection of session objects, each corresponding to an active
> > > users, each stored away in a session data container which is, itself,
> > > stored away in a transience object (aka temp_folder). For system
> > > monitoring purposes I want a privileged user to be able to look at
> > > the session data objects. The documentation (Zope Book, 2_6 Ed) is
> > > silent on this question. A first attempt at looking inside a session data
> > > container failed on security even at the highest privilege level. I'm
> > > assuming that access is only allowed from External Methods and Procducts,
> > > but thought I'd ask the group before reading the code and experimenting.
> > >
> > > -d
> > >
> > >
> > > _______________________________________________
> > > Zope maillist - Zope at zope.org
> > > http://mail.zope.org/mailman/listinfo/zope
> > > ** No cross posts or HTML encoding! **
> > > (Related lists -
> > > http://mail.zope.org/mailman/listinfo/zope-announce
> > > http://mail.zope.org/mailman/listinfo/zope-dev )
> >
More information about the Zope
mailing list