10 Jun
2003
10 Jun
'03
5:31 p.m.
Shane Hathaway wrote at 2003-6-10 10:15 -0400:
Brian Lloyd wrote:
FYI - we plan for this to be fixed in 2.6.2, preferably by fixing the version machinery to require the "join / leave versions" permission (which is assigned only to managers by default.
It will be interesting to find out how this can be accomplished. To use a version, you have to specify the version at the time of opening the database. Before opening the database, the application has no access to user accounts, let alone security settings.
Let it open the version, perform the traversal and after authentication, check that it was justified. If not, abort the request. Dieter