Brian Lloyd wrote:
FYI - we plan for this to be fixed in 2.6.2, preferably by fixing the version machinery to require the "join / leave versions" permission (which is assigned only to managers by default.
It will be interesting to find out how this can be accomplished. To use a version, you have to specify the version at the time of opening the database. Before opening the database, the application has no access to user accounts, let alone security settings.
Right, but you can always abort the transaction later.
I simply added some logic in the zpublisher_validated_hook to check if the request includes the version variable and, if so, to check whether the user has the join/leave version permission *globally*. If they don't, I clear the cookie and raise unauthorized.
Unfortunately, this is not backward compatible because, with this change, a user can't be given a local role that lets them join/leave versions.
-- Jim Fulton mailto:[EMAIL PROTECTED] Python Powered! CTO (703) 361-1714 http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce