Ummm... you know that it's an opening for xss... right? It's not a big deal if everything else is done right in the website, but I can force an admin to impersonate someone else, by creating an image in my website, with src that goes: http://.../app/default/user/impersonate/{id} You should really move this to post.
On Dec 1, 2:47 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > http://.../app/default/user/impersonate/{id} > > will do this for you but you need to have permission to "impersonate". > Look at the docstring. > > Massimo > > On Nov 30, 2:43 pm, mart <msenecal...@gmail.com> wrote: > > > Hi, > > > I would like to make use of the following snippet (something I have > > here often enough) > > > * in controller > > db.someTable.user==me)).select() > > > * in db.py > > if auth.is_logged_in(): > > me=auth.user.id > > else: > > me=None > > > How do I turn this into something like > > > if auth.is_logged_in(): > > genericUser=auth.user.id > > > while the user is visiting on THIS page, they can as an option, assume > > a generic user's ID to view his stuff (file system resources) but with > > stricter permission (like view and download, but not change or delete? > > > Thanks, > > > Mart :) > >
