# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1268813790 -3600
# Node ID d2fc161bee3f14851a0320996d96ce6cefe99b67
# Parent  270aba1e6fa21dac6b070e7815e6d1291f9c87cd
[session] fix hijack_user: most transaction_data should be copied (everything but the entity cache

diff -r 270aba1e6fa2 -r d2fc161bee3f server/session.py
--- a/server/session.py	Tue Mar 16 18:10:59 2010 +0100
+++ b/server/session.py	Wed Mar 17 09:16:30 2010 +0100
@@ -153,7 +153,12 @@
     def hijack_user(self, user):
         """return a fake request/session using specified user"""
         session = Session(user, self.repo)
-        session._threaddata.pool = self.pool
+        threaddata = session._threaddata
+        threaddata.pool = self.pool
+        # everything in transaction_data should be copied back but the entity
+        # type cache we don't want to avoid security pb
+        threaddata.transaction_data = self.transaction_data.copy()
+        threaddata.transaction_data.pop('ecache', None)
         return session
 
     def add_relation(self, fromeid, rtype, toeid):