FYI - we plan for this to be fixed in 2.6.2, preferably by fixing the version machinery to require the "join / leave versions" permission (which is assigned only to managers by default.
Brian Lloyd [EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of Oliver Bleutgen > Sent: Tuesday, June 10, 2003 7:35 AM > To: [EMAIL PROTECTED] > Subject: Re: small summary and big plea was:(Re: [Zope-dev] Versions: > should they die?) > > > Chris Withers wrote: > > Shane Hathaway wrote: > > > >> > >> My opinion on this is a little different. It's quite easy for anyone > >> to make mischief on any Zope server that lets people make even minor > >> changes to the site, such as giving feedback, posting a discussion > >> item, etc. > > On the weekend I had the idea that it's even easier. See > http://zope.nipltd.com/public/lists/dev-archive.nsf/ByKey/D1CAAEC689AB7BA9 > how to do that on an zope server. > > >> All you have to do is include a Zope-Version cookie in the > >> request and your changes will place a lock on any objects that the > >> request touches. Zope doesn't even check the validity of the > >> Zope-Version cookie. Anyone who is not a ZODB expert would have a > >> hard time bringing the site back to sanity. > > > > > > This was my fear, and it's pretty shocking. > > > > Maybe Oliver should do just such a thing on both collector.zope.org and > > zope.org, or maybe cbsnewyork.com to prove a point and then this issue > > will get the attention is deserves ;-) > > Yeah, and I'm sure I'd get personal attention too, in a way I'd prefer > not to get ;). > > cheers, > oliver > > > _______________________________________________ > Zope-Dev maillist - [EMAIL PROTECTED] > http://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope ) > _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )