We are running Zope 2.6.x and I noticed yesterday that I could do the
following:
acl_users = container.acl_users
user = acl_users.getUser('test_user')
request.set('AUTHENTICATED_USER',user)
print request.AUTHENTICATED_USER.getUserName()
This isn't a huge deal since it doesn't seem to change the permissions
available to the user. But many of our scripts rely on
AUTHENTICATED_USER.getUserName() to return the actual logged in user. Is
this addressed in later versions of Zope? Is there a better way to get
the current user's user name?
We allow untrusted developers on our Zope server and this may allow them
to exploit certain systems.
-Brian
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
