[Zope-dev] Protected session items?

Lennart Regebro Thu, 26 Aug 2004 08:06:51 -0700

In TransientObject __guarded_setitem__ is just set to __setitem__. This means, that everything you set in the session dictionary is changeable through user code. Is there a good reason for this?

I think it would be nice if I could set secret things in the session, mainly authentication information. If i do this currently, any user code can change it, which isn't exactly safe.

   REQUEST.SESSION['__ac_username'] = 'root'

Ooops! :)

This change:

    def __guarded_setitem__(self, k, v):
        if k[0] == '_':
            raise SomeThingOrAnotherError
        self.__setitem__(k, v)

Fixes that. Then you can only set it from protected code.
Is there some reason why this is NOT a good idea?

//Lennart _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Protected session items?

Reply via email to