interesting... the risk for me is just about a non-issue so it didn't occur to me... this is for a web app living inside a corporate network where the same resources could be had by other means. the "impersonate" feature would be very efficient and convenient in this case, would there be another to achieve the same thing without posing the security risk? perhaps something like "while on THIS page, your login credentials are replaced with those of the "generic" user"? Like perhaps a "masking" feature? In this case, the onus would be (like in any other situation) up to the web site owner/admin to make sure users could only wear a specific and defined user's "mask" and that level permission met the required level?
thanks, Mart :) On Dec 1, 11:34 pm, guruyaya <[email protected]> wrote: > Ummm... you know that it's an opening for xss... right? > > It's not a big deal if everything else is done right in the website, > but I can force an admin to impersonate someone else, by creating an > image in my website, with src that > goes:http://.../app/default/user/impersonate/{id} > You should really move this to post. > > On Dec 1, 2:47 am, mdipierro <[email protected]> wrote: > > >http://.../app/default/user/impersonate/{id} > > > will do this for you but you need to have permission to "impersonate". > > Look at the docstring. > > > Massimo > > > On Nov 30, 2:43 pm, mart <[email protected]> wrote: > > > > Hi, > > > > I would like to make use of the following snippet (something I have > > > here often enough) > > > > * in controller > > > db.someTable.user==me)).select() > > > > * in db.py > > > if auth.is_logged_in(): > > > me=auth.user.id > > > else: > > > me=None > > > > How do I turn this into something like > > > > if auth.is_logged_in(): > > > genericUser=auth.user.id > > > > while the user is visiting on THIS page, they can as an option, assume > > > a generic user's ID to view his stuff (file system resources) but with > > > stricter permission (like view and download, but not change or delete? > > > > Thanks, > > > > Mart :) > >
