[Zope] Session
Dennis Allison
allison at sumeru.stanford.EDU
Mon Sep 1 23:31:15 EDT 2003
Thanks Chris, that helps. I'll explore a bit and let you know what I end
up doing. -dra
On 1 Sep 2003, Chris McDonough wrote:
> I still don't know the methods you want to call, but I'll venture a
> guess as to how you want to do this.
>
> Some of desire for this functionality has already been predicted. There
> is a method on the session data manager named getSessionDataByKey, which
> returns a session data object for a particular browser id. It is
> protected by the "Access arbitrary user session data" permission, which
> by default is granted to a Manager. Once he's gotten the object, any
> user can do whatever he wants with it (it is not protected by any
> permission in any way).
>
> So the trick is getting the list of active sessions (really just their
> their browser ids) and allowing users to call getSessionDataByKey.
> Unfortunately, there is no way get the list of current sessions without
> writing an external method or Product at the moment. You could:add a
> security declaration to the "keys" method of the transient object
> container which would then allow you to do this in TTW code. However,
> that method is not part of the public API and is subject to change
> without notice (although it's unlikely to go away).
>
> I would probably accept a patch that made what you're doing possible as
> long as it didn't negatively impact sessioning security.
>
> HTH!
>
> - C
>
>
> On Mon, 2003-09-01 at 23:25, Dennis Allison wrote:
> > No problem. I want to write a monitoring program to maintain running
> > sumamries of users. We store a lot of information as session variables
> > and so I'll want to look at the stored session variable for all active
> > sessions. This does not appear to be possible without doing a Product
> > or using an External Method--I've already built a bit of a framework for
> > what I need using external methods.
> >
> > -d
> >
> > On 1 Sep 2003, Chris McDonough wrote:
> >
> > > You'll need to be a little more specific when you say "able to look at
> > > the session data objects". What methods do you want to call on the
> > > session data container?
> > >
> > > On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
> > > > I have a collection of session objects, each corresponding to an active
> > > > users, each stored away in a session data container which is, itself,
> > > > stored away in a transience object (aka temp_folder). For system
> > > > monitoring purposes I want a privileged user to be able to look at
> > > > the session data objects. The documentation (Zope Book, 2_6 Ed) is
> > > > silent on this question. A first attempt at looking inside a session data
> > > > container failed on security even at the highest privilege level. I'm
> > > > assuming that access is only allowed from External Methods and Procducts,
> > > > but thought I'd ask the group before reading the code and experimenting.
> > > >
> > > > -d
> > > >
> > > >
> > > > _______________________________________________
> > > > Zope maillist - Zope at zope.org
> > > > http://mail.zope.org/mailman/listinfo/zope
> > > > ** No cross posts or HTML encoding! **
> > > > (Related lists -
> > > > http://mail.zope.org/mailman/listinfo/zope-announce
> > > > http://mail.zope.org/mailman/listinfo/zope-dev )
> > >
>
More information about the Zope
mailing list