[Zope] getSecurityManager() vs. AUTHENTICATED_USER

Florent Guillaume fg at nuxeo.com
Sat Jul 9 06:52:17 EDT 2005


Peter Bengtsson  <peter at fry-it.com> wrote:
> Dieter Maurer <dieter at handshake.de> wrote:
> > Peter Bengtsson wrote at 2005-7-8 13:24 +0100:
> > >I've learnt that it's better to use getSecurityManager instead of
> > >REQUEST.AUTHENTICATED_USER
> > >because it's more secure. Other than that, what is the difference.
> > 
> > The security manager could be changed (e.g. with "newSecurityManager").
> > "getSecurityManager" would report the change but not "AUTHENTICATED_USER".
> > 
> 
> "newSecurityManager" ??
> never heard of that. The __doc__ says
> """ Set up a new security context for a request for a user """
> 
> What is this used for? I'm guessing it's something we use in unittests
> and stuff.

It's used whenever some code has to act "as if" it was another user.

The only use I find in core Zope code is when a temporary container for
session objects calls its notify method. It does so as an anonymous user
instead of the logged-in one.

But third-party code can use it too. CPS does, for instance.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com


More information about the Zope mailing list