This release contains the new changes to the Zope security model to protect against the server-side trojan issue:
http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan
Hmm. Let's say an object is owned by user Joe. I export the object and reimport it in a different Zope installation, where Joe doesn't exist. Who owns the object? nobody?
No - you do :) Importing is the moral equivalent of "creating" the object. Whenever you create, copy, cut & paste or import you will get ownership of the resulting new object. To me, the more hairy issue is what if Joe *does* exist in the different Zope installation, and you *do* want Joe to continue to have ownership? Currently, you must either arrange for Joe to do the import (which will give him ownership directly), or import it and use an external method to assign ownership (which is a pain). One thing we've thought of is that perhaps superuser (and only superuser) could be able to assign ownership through a web interface, which could make this sort of thing a bit easier. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com