We are running Zope 2.6.x and I noticed yesterday that I could do the

  acl_users = container.acl_users
  user = acl_users.getUser('test_user')
  print request.AUTHENTICATED_USER.getUserName()

This isn't a huge deal since it doesn't seem to change the permissions
available to the user. But many of our scripts rely on
AUTHENTICATED_USER.getUserName() to return the actual logged in user. Is
this addressed in later versions of Zope? Is there a better way to get
the current user's user name?

We allow untrusted developers on our Zope server and this may allow them
to exploit certain systems.

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to