alright... so, played hooky from work put a bit of time to this, and... I think it worked... Yes, granted, a pathetic answer... but so are my wepApp skills... I am saying yes but with a caveat: someone more knowing about web2by and permissions should double check (i played around a little too much to in there which does poke a few holes in my confidence about my ability to test properly - just being honest).
I wish I could be more certain (I'd be a terrible tester... I'm the type to never be sure I shut the stove after leaving the house). Thanks, Mart :) On Dec 2, 2:25 pm, mdipierro <[email protected]> wrote: > The security risk is not the existance of the function but the way the > parameters are passed to the function. > > I changed it in trunk, please give it a try and tell me what you think > before we make it into stable. > > Massimo > > On Dec 2, 9:19 am, mart <[email protected]> wrote: > > > interesting... the risk for me is just about a non-issue so it didn't > > occur to me... this is for a web app living inside a corporate network > > where the same resources could be had by other means. the > > "impersonate" feature would be very efficient and convenient in this > > case, would there be another to achieve the same thing without posing > > the security risk? perhaps something like "while on THIS page, your > > login credentials are replaced with those of the "generic" user"? Like > > perhaps a "masking" feature? In this case, the onus would be (like in > > any other situation) up to the web site owner/admin to make sure users > > could only wear a specific and defined user's "mask" and that level > > permission met the required level? > > > thanks, > > Mart :) > > > On Dec 1, 11:34 pm, guruyaya <[email protected]> wrote: > > > > Ummm... you know that it's an opening for xss... right? > > > > It's not a big deal if everything else is done right in the website, > > > but I can force an admin to impersonate someone else, by creating an > > > image in my website, with src that > > > goes:http://.../app/default/user/impersonate/{id} > > > You should really move this to post. > > > > On Dec 1, 2:47 am, mdipierro <[email protected]> wrote: > > > > >http://.../app/default/user/impersonate/{id} > > > > > will do this for you but you need to have permission to "impersonate". > > > > Look at the docstring. > > > > > Massimo > > > > > On Nov 30, 2:43 pm, mart <[email protected]> wrote: > > > > > > Hi, > > > > > > I would like to make use of the following snippet (something I have > > > > > here often enough) > > > > > > * in controller > > > > > db.someTable.user==me)).select() > > > > > > * in db.py > > > > > if auth.is_logged_in(): > > > > > me=auth.user.id > > > > > else: > > > > > me=None > > > > > > How do I turn this into something like > > > > > > if auth.is_logged_in(): > > > > > genericUser=auth.user.id > > > > > > while the user is visiting on THIS page, they can as an option, assume > > > > > a generic user's ID to view his stuff (file system resources) but with > > > > > stricter permission (like view and download, but not change or delete? > > > > > > Thanks, > > > > > > Mart :) > >
