Pyramid.security: Is getting user info from a database with unauthenticated_userid(request) really secure?

Posted by yourfriendzak on Stack Overflow See other posts from Stack Overflow or by yourfriendzak
Published on 2012-09-22T20:57:21Z Indexed on 2012/09/22 21:37 UTC
Read the original article Hit count: 460

I'm trying to make an accesible cache of user data using Pyramid doc's "Making A “User Object” Available as a Request Attribute" example.

They're using this code to return a user object to set_request_property:

from pyramid.security import unauthenticated_userid

def get_user(request):
    # the below line is just an example, use your own method of
    # accessing a database connection here (this could even be another
    # request property such as request.db, implemented using this same
    # pattern).
    dbconn = request.registry.settings['dbconn']
    userid = unauthenticated_userid(request)
    if userid is not None:
        # this should return None if the user doesn't exist
        # in the database
        return dbconn['users'].query({'id':userid})

I don't understand why they're using unauthenticated_userid(request) to lookup user info from the database...isn't that insecure? That means that user might not be logged in, so why are you using that ID to get there private info from the database?

Shouldn't

    userid = authenticated_userid(request)

be used instead to make sure the user is logged in? What's the advantage of using unauthenticated_userid(request)? Please help me understand what's going on here.

© Stack Overflow or respective owner

Related posts about python

Related posts about security