In TransientObject __guarded_setitem__ is just set to __setitem__.
This means, that everything you set in the session dictionary is changeable through user code. Is there a good reason for this?


I think it would be nice if I could set secret things in the session, mainly authentication information. If i do this currently, any user code can change it, which isn't exactly safe.

   REQUEST.SESSION['__ac_username'] = 'root'

Ooops! :)

This change:

    def __guarded_setitem__(self, k, v):
        if k[0] == '_':
            raise SomeThingOrAnotherError
        self.__setitem__(k, v)

Fixes that. Then you can only set it from protected code.
Is there some reason why this is NOT a good idea?

//Lennart
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to