[ic] Saving shopping carts on behalf of a customer.

Mike Heins mike at perusion.com
Tue Dec 7 12:45:43 EST 2004


Quoting Brian Kaney (brian at vermonster.com):
> On Tue, 2004-12-07 at 11:55, Mike Heins wrote:
> > Quoting Brian Kaney (brian at vermonster.com):
> > > 
> > > 
> > > The issue I am having is the administrator needs to be able to save a
> > > named shopping cart (containing the quotation) on behalf of another
> > > user.
> > 
> > this makes sense.
> > 
> > > 
> > > 
> > > I found if I log in as admin and click on the "customers" tab, there is
> > > a nice switch user function.  I can look into session and check if
> > > $Session->{su} exists.  If it does, I can allow access to my privileged
> > > functions.
> > > 
> > > 
> > > This all seems to work, but I am wondering if it is safe to rely on the
> > > existence of $Session->{su} for determining if the user's previous login
> > > was su?
> > 
> > the thing i struggle with is why do you care? and safe for what value
> > of safe? anyone who can create embedded perl code which you run
> > can do
> 
> Because I don't want "regular" users to have access to privileged
> functionality/pages (namely my quote building pages).  I need to see if
> the user was last logged in as an admin, and then determine access.
> 
> And I guess by safe, I mean reliable and non-spoofable (not from a
> programming standpoint, but from the client).

then it is safe from that standpoint, particularly if that part
of the page tree is not writable by the interchange user ID.
-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

p.s. sorry for lower case, injured hand

Some people have twenty years of experience, some people have
one year of experience twenty times over. -- Anonymous


More information about the interchange-users mailing list