[ic] Saving shopping carts on behalf of a customer.
Mike Heins
mike at perusion.com
Tue Dec 7 12:45:43 EST 2004
Quoting Brian Kaney (brian at vermonster.com):
> On Tue, 2004-12-07 at 11:55, Mike Heins wrote:
> > Quoting Brian Kaney (brian at vermonster.com):
> > >
> > >
> > > The issue I am having is the administrator needs to be able to save a
> > > named shopping cart (containing the quotation) on behalf of another
> > > user.
> >
> > this makes sense.
> >
> > >
> > >
> > > I found if I log in as admin and click on the "customers" tab, there is
> > > a nice switch user function. I can look into session and check if
> > > $Session->{su} exists. If it does, I can allow access to my privileged
> > > functions.
> > >
> > >
> > > This all seems to work, but I am wondering if it is safe to rely on the
> > > existence of $Session->{su} for determining if the user's previous login
> > > was su?
> >
> > the thing i struggle with is why do you care? and safe for what value
> > of safe? anyone who can create embedded perl code which you run
> > can do
>
> Because I don't want "regular" users to have access to privileged
> functionality/pages (namely my quote building pages). I need to see if
> the user was last logged in as an admin, and then determine access.
>
> And I guess by safe, I mean reliable and non-spoofable (not from a
> programming standpoint, but from the client).
then it is safe from that standpoint, particularly if that part
of the page tree is not writable by the interchange user ID.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
p.s. sorry for lower case, injured hand
Some people have twenty years of experience, some people have
one year of experience twenty times over. -- Anonymous
More information about the interchange-users
mailing list