small summary and big plea was:(Re: [Zope-dev] Versions: should they die?)

Brian Lloyd brian@zope.com
Tue, 10 Jun 2003 09:05:02 -0400 

FYI - we plan for this to be fixed in 2.6.2, preferably by fixing
the version machinery to require the "join / leave versions"
permission (which is assigned only to managers by default.


Brian Lloyd        brian@zope.com
V.P. Engineering   540.361.1716
Zope Corporation   http://www.zope.com


> -----Original Message-----
> From: zope-dev-admin@zope.org [mailto:zope-dev-admin@zope.org]On Behalf
> Of Oliver Bleutgen
> Sent: Tuesday, June 10, 2003 7:35 AM
> To: zope-dev@zope.org
> Subject: Re: small summary and big plea was:(Re: [Zope-dev] Versions:
> should they die?)
>
>
> Chris Withers wrote:
> > Shane Hathaway wrote:
> >
> >>
> >> My opinion on this is a little different.  It's quite easy for anyone
> >> to make mischief on any Zope server that lets people make even minor
> >> changes to the site, such as giving feedback, posting a discussion
> >> item, etc.
>
> On the weekend I had the idea that it's even easier. See
> http://zope.nipltd.com/public/lists/dev-archive.nsf/ByKey/D1CAAEC689AB7BA9
> how to do that on an zope server.
>
> >> All you have to do is include a Zope-Version cookie in the
> >> request and your changes will place a lock on any objects that the
> >> request touches.  Zope doesn't even check the validity of the
> >> Zope-Version cookie.  Anyone who is not a ZODB expert would have a
> >> hard time bringing the site back to sanity.
> >
> >
> > This was my fear, and it's pretty shocking.
> >
> > Maybe Oliver should do just such a thing on both collector.zope.org and
> > zope.org, or maybe cbsnewyork.com to prove a point and then this issue
> > will get the attention is deserves ;-)
>
> Yeah, and I'm sure I'd get personal attention too, in a way I'd prefer
> not to get ;).
>
> cheers,
> oliver
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )
>