[session] fix hijack_user: most transaction_data should be copied (everything but the entity cache
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 17 Mar 2010 09:16:30 +0100
changeset 4924 d2fc161bee3f
parent 4921 270aba1e6fa2
child 4925 0d66fbe050c6
[session] fix hijack_user: most transaction_data should be copied (everything but the entity cache
server/session.py
--- a/server/session.py	Tue Mar 16 18:10:59 2010 +0100
+++ b/server/session.py	Wed Mar 17 09:16:30 2010 +0100
@@ -153,7 +153,12 @@
     def hijack_user(self, user):
         """return a fake request/session using specified user"""
         session = Session(user, self.repo)
-        session._threaddata.pool = self.pool
+        threaddata = session._threaddata
+        threaddata.pool = self.pool
+        # everything in transaction_data should be copied back but the entity
+        # type cache we don't want to avoid security pb
+        threaddata.transaction_data = self.transaction_data.copy()
+        threaddata.transaction_data.pop('ecache', None)
         return session
 
     def add_relation(self, fromeid, rtype, toeid):