True. This will break backward compatibility but it is a security issue. I will sleep on it. All in favor? Against?
On Dec 1, 10:34 pm, guruyaya <[email protected]> wrote: > Ummm... you know that it's an opening for xss... right? > > It's not a big deal if everything else is done right in the website, > but I can force an admin to impersonate someone else, by creating an > image in my website, with src that > goes:http://.../app/default/user/impersonate/{id} > You should really move this to post. > > On Dec 1, 2:47 am, mdipierro <[email protected]> wrote: > > >http://.../app/default/user/impersonate/{id} > > > will do this for you but you need to have permission to "impersonate". > > Look at the docstring. > > > Massimo > > > On Nov 30, 2:43 pm, mart <[email protected]> wrote: > > > > Hi, > > > > I would like to make use of the following snippet (something I have > > > here often enough) > > > > * in controller > > > db.someTable.user==me)).select() > > > > * in db.py > > > if auth.is_logged_in(): > > > me=auth.user.id > > > else: > > > me=None > > > > How do I turn this into something like > > > > if auth.is_logged_in(): > > > genericUser=auth.user.id > > > > while the user is visiting on THIS page, they can as an option, assume > > > a generic user's ID to view his stuff (file system resources) but with > > > stricter permission (like view and download, but not change or delete? > > > > Thanks, > > > > Mart :) > >
