[Zope] getSecurityManager() vs. AUTHENTICATED_USER
Florent Guillaume
fg at nuxeo.com
Sat Jul 9 06:52:17 EDT 2005
Peter Bengtsson <peter at fry-it.com> wrote:
> Dieter Maurer <dieter at handshake.de> wrote:
> > Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
> > >I've learnt that it's better to use getSecurityManager instead of
> > >REQUEST.AUTHENTICATED_USER
> > >because it's more secure. Other than that, what is the difference.
> >
> > The security manager could be changed (e.g. with "newSecurityManager").
> > "getSecurityManager" would report the change but not "AUTHENTICATED_USER".
> >
>
> "newSecurityManager" ??
> never heard of that. The __doc__ says
> """ Set up a new security context for a request for a user """
>
> What is this used for? I'm guessing it's something we use in unittests
> and stuff.
It's used whenever some code has to act "as if" it was another user.
The only use I find in core Zope code is when a temporary container for
session objects calls its notify method. It does so as an anonymous user
instead of the logged-in one.
But third-party code can use it too. CPS does, for instance.
Florent
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope
mailing list