It seems to me that you are storing data in the session which should
actually be linked to the auth_user table.
On Thursday, January 3, 2013 1:39:10 AM UTC-7, Annet wrote:
>
> Massimo,
>
> Thanks for your reply.
>
> It is not clear to me what you are storing in session.
>
>
> I have a table 'node' and tables which reference this table by 'nodeID'.
> Nodes have accounts, depending on the kind of account their web site has
> menu items linking to web pages. All these pages extend a layout view which
> contains the elements all pages have in common, I store these elements in
> session[id] to prevent the application from querying the database for the
> same records on every request. For example the styling is stored like this:
>
> theme=db((db.nodeTheme.nodeID==id)&(db.nodeTheme.themeID==db.theme.id
> )).select(db.theme.ALL).first()
> session[id].container=theme.container
> session[id].navbarfixedtop=theme.navbarFixedTop
> session[id].theme=theme
>
>
> session[id] is instantiated in the router function and the elements are
> stored in it in the index function of the web site.
>
> The index function first checks:
>
> if not session[int(request.args(0))].accountID
> in(ADVANCEDACCOUNTID,PREMIUMACCOUNTID):
> redirect(URL('addressbook','router',args=request.args(0)))
>
> and then, based on a 'nav' table sets access to the other functions to
> True or False. Then every function checks:
>
> if not session[int(request.args(0))]:
> redirect(URL('addressbook','router',args=request.args(0)))
> elif not session[int(request.args(0))].openingHours:
> redirect(URL('addressbook','router',args=request.args(0)))
> else:
> execute function
>
>
> This:
>>
>> id=int(request.args(0))
>>
>> account=db(db.nodeAccount.nodeID==id).select(db.nodeAccount.ALL).first()
>> ...
>> session[id]
>>
>> looks like a security vulnerability to me. Every user can access any
>> record of the table and add to the current session.
>> Web2py does not sets a limitation but the session can get arbitrarily
>> bigger and therefore slower.
>>
>
> That's what I thought, therefore I wondered whether I could store all
> this in html snippets which the layout view then includes. By including all
> the conditions I'd hoped to decrease the security vulnerability.
>
>
> Kind regards,
>
> Annet.
>
--
