[Zope] Zsyncer problem?

[Andy McKay]

> However, it seems that there is a quite big security problem with the
> current version : if you place the zsyncer on a subfolder of root, it
stills
> gives you the ability to sync root folders, and any subfolder, wether you
> have the rights to do so or not. It's not a problem if you are root, but
> else...

I know there is the Manager role problem, where a Manager has the right to
do absolutely anything. That bug is in the collector. I was quite careful
about security so I'd like to plug any hole asap. Could you give me any more
detail such as what role, permissions etc?

> I'm not sure it's allways the right action to delete something which is on
> production and not on source ("extra this (red): object is on production
but
> not development, it needs deleting from production"), for example, if it's
> user feedback, it would be cool to add those to the source server (for
> backups for instance), and would probably never need to be deleted.

Yeah ZSyncer is a work for me release. I dont need to do a sync from the
destination to a source, and as long as I continue to use it never will.
This may be a feature to add later, but currently I have no interest in
changing this.

> As I said, still the nicest product I found for zope. And this prove that
> xml-rpc is robust and fast. (I would say a *lot* faster than ftp for
> instance).

Thanks.
--
  Andy McKay.