The security risk is not the existance of the function but the way the parameters are passed to the function.
I changed it in trunk, please give it a try and tell me what you think before we make it into stable. Massimo On Dec 2, 9:19 am, mart <[email protected]> wrote: > interesting... the risk for me is just about a non-issue so it didn't > occur to me... this is for a web app living inside a corporate network > where the same resources could be had by other means. the > "impersonate" feature would be very efficient and convenient in this > case, would there be another to achieve the same thing without posing > the security risk? perhaps something like "while on THIS page, your > login credentials are replaced with those of the "generic" user"? Like > perhaps a "masking" feature? In this case, the onus would be (like in > any other situation) up to the web site owner/admin to make sure users > could only wear a specific and defined user's "mask" and that level > permission met the required level? > > thanks, > Mart :) > > On Dec 1, 11:34 pm, guruyaya <[email protected]> wrote: > > > Ummm... you know that it's an opening for xss... right? > > > It's not a big deal if everything else is done right in the website, > > but I can force an admin to impersonate someone else, by creating an > > image in my website, with src that > > goes:http://.../app/default/user/impersonate/{id} > > You should really move this to post. > > > On Dec 1, 2:47 am, mdipierro <[email protected]> wrote: > > > >http://.../app/default/user/impersonate/{id} > > > > will do this for you but you need to have permission to "impersonate". > > > Look at the docstring. > > > > Massimo > > > > On Nov 30, 2:43 pm, mart <[email protected]> wrote: > > > > > Hi, > > > > > I would like to make use of the following snippet (something I have > > > > here often enough) > > > > > * in controller > > > > db.someTable.user==me)).select() > > > > > * in db.py > > > > if auth.is_logged_in(): > > > > me=auth.user.id > > > > else: > > > > me=None > > > > > How do I turn this into something like > > > > > if auth.is_logged_in(): > > > > genericUser=auth.user.id > > > > > while the user is visiting on THIS page, they can as an option, assume > > > > a generic user's ID to view his stuff (file system resources) but with > > > > stricter permission (like view and download, but not change or delete? > > > > > Thanks, > > > > > Mart :) > >
