In TransientObject __guarded_setitem__ is just set to __setitem__.
This means, that everything you set in the session dictionary is changeable through user code. Is there a good reason for this?

I think it would be nice if I could set secret things in the session, mainly authentication information. If i do this currently, any user code can change it, which isn't exactly safe.

   REQUEST.SESSION['__ac_username'] = 'root'

Ooops! :)

This change:

    def __guarded_setitem__(self, k, v):
        if k[0] == '_':
            raise SomeThingOrAnotherError
        self.__setitem__(k, v)

Fixes that. Then you can only set it from protected code.
Is there some reason why this is NOT a good idea?

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to