It seems to me that you are storing data in the session which should actually be linked to the auth_user table.
On Thursday, January 3, 2013 1:39:10 AM UTC-7, Annet wrote: > > Massimo, > > Thanks for your reply. > > It is not clear to me what you are storing in session. > > > I have a table 'node' and tables which reference this table by 'nodeID'. > Nodes have accounts, depending on the kind of account their web site has > menu items linking to web pages. All these pages extend a layout view which > contains the elements all pages have in common, I store these elements in > session[id] to prevent the application from querying the database for the > same records on every request. For example the styling is stored like this: > > theme=db((db.nodeTheme.nodeID==id)&(db.nodeTheme.themeID==db.theme.id > )).select(db.theme.ALL).first() > session[id].container=theme.container > session[id].navbarfixedtop=theme.navbarFixedTop > session[id].theme=theme > > > session[id] is instantiated in the router function and the elements are > stored in it in the index function of the web site. > > The index function first checks: > > if not session[int(request.args(0))].accountID > in(ADVANCEDACCOUNTID,PREMIUMACCOUNTID): > redirect(URL('addressbook','router',args=request.args(0))) > > and then, based on a 'nav' table sets access to the other functions to > True or False. Then every function checks: > > if not session[int(request.args(0))]: > redirect(URL('addressbook','router',args=request.args(0))) > elif not session[int(request.args(0))].openingHours: > redirect(URL('addressbook','router',args=request.args(0))) > else: > execute function > > > This: >> >> id=int(request.args(0)) >> >> account=db(db.nodeAccount.nodeID==id).select(db.nodeAccount.ALL).first() >> ... >> session[id] >> >> looks like a security vulnerability to me. Every user can access any >> record of the table and add to the current session. >> Web2py does not sets a limitation but the session can get arbitrarily >> bigger and therefore slower. >> > > That's what I thought, therefore I wondered whether I could store all > this in html snippets which the layout view then includes. By including all > the conditions I'd hoped to decrease the security vulnerability. > > > Kind regards, > > Annet. > --