server/session.py
changeset 4924 d2fc161bee3f
parent 4913 083b4d454192
child 4987 ec93dd82c83f
--- a/server/session.py	Tue Mar 16 18:10:59 2010 +0100
+++ b/server/session.py	Wed Mar 17 09:16:30 2010 +0100
@@ -153,7 +153,12 @@
     def hijack_user(self, user):
         """return a fake request/session using specified user"""
         session = Session(user, self.repo)
-        session._threaddata.pool = self.pool
+        threaddata = session._threaddata
+        threaddata.pool = self.pool
+        # everything in transaction_data should be copied back but the entity
+        # type cache we don't want to avoid security pb
+        threaddata.transaction_data = self.transaction_data.copy()
+        threaddata.transaction_data.pop('ecache', None)
         return session
 
     def add_relation(self, fromeid, rtype, toeid):