[ic] Saving shopping carts on behalf of a customer.

[Brian Kaney]

On Tue, 2004-12-07 at 11:55, Mike Heins wrote:
> Quoting Brian Kaney (brian at vermonster.com):
> > 
> > 
> > The issue I am having is the administrator needs to be able to save a
> > named shopping cart (containing the quotation) on behalf of another
> > user.
> 
> this makes sense.
> 
> > 
> > 
> > I found if I log in as admin and click on the "customers" tab, there is
> > a nice switch user function.  I can look into session and check if
> > $Session->{su} exists.  If it does, I can allow access to my privileged
> > functions.
> > 
> > 
> > This all seems to work, but I am wondering if it is safe to rely on the
> > existence of $Session->{su} for determining if the user's previous login
> > was su?
> 
> the thing i struggle with is why do you care? and safe for what value
> of safe? anyone who can create embedded perl code which you run
> can do

Because I don't want "regular" users to have access to privileged
functionality/pages (namely my quote building pages).  I need to see if
the user was last logged in as an admin, and then determine access.

And I guess by safe, I mean reliable and non-spoofable (not from a
programming standpoint, but from the client).

- Brian