Oliver Bleutgen wrote at 2003-6-6 11:46 +0200:
... Bad properties of this implementation:
1. The "Join/Leave Versions" permission doesn't secure entering versions 2. Zope doesn't care if a correspondending Version instance to the value of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for the value of that Zope-Version variable at all. 3. And (minor problem, but whatever), since zope relies completely on the browser to send cookies only the right time (i.e. that the path set for the cookie must match a prefix of the request-URI), this might also give unexpected results with acquisition.
Security implications:
Doh, anybody who can read/write to a zope server can get it to read/write from/to any version he likes, and the admin has no way of anticipating that short of patching zope. Combine that with sites like squishdot, collector.zope.org and you get chaos.
Big plea:
Really, this _is_ a security bug, and it should be handled that way and fixed in 2.6.2 by any meansm, so that all(!) bad properties I listed above are gone.
1. is difficult to change. When we had a post-authentication hook (a hook called by ZPublisher after authentication has been done), then we could check in this hook that the user has the right to enter the version. Such a hook would be extremely helpful for other applications, too. 2. would be easy to fix. I already posted an outline for the check. 3. is already implemented correctly (I think). Dieter