Peter Bengtsson <[EMAIL PROTECTED]> wrote: > Dieter Maurer <[EMAIL PROTECTED]> wrote: > > Peter Bengtsson wrote at 2005-7-8 13:24 +0100: > > >I've learnt that it's better to use getSecurityManager instead of > > >REQUEST.AUTHENTICATED_USER > > >because it's more secure. Other than that, what is the difference. > > > > The security manager could be changed (e.g. with "newSecurityManager"). > > "getSecurityManager" would report the change but not "AUTHENTICATED_USER". > > > > "newSecurityManager" ?? > never heard of that. The __doc__ says > """ Set up a new security context for a request for a user """ > > What is this used for? I'm guessing it's something we use in unittests > and stuff.
It's used whenever some code has to act "as if" it was another user. The only use I find in core Zope code is when a temporary container for session objects calls its notify method. It does so as an anonymous user instead of the logged-in one. But third-party code can use it too. CPS does, for instance. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )