However, it seems that there is a quite big security problem with the current version : if you place the zsyncer on a subfolder of root, it stills gives you the ability to sync root folders, and any subfolder, wether you have the rights to do so or not. It's not a problem if you are root, but else...

I know there is the Manager role problem, where a Manager has the right to do absolutely anything. That bug is in the collector. I was quite careful about security so I'd like to plug any hole asap. Could you give me any more detail such as what role, permissions etc?

I'm not sure it's allways the right action to delete something which is on production and not on source ("extra this (red): object is on production but not development, it needs deleting from production"), for example, if it's user feedback, it would be cool to add those to the source server (for backups for instance), and would probably never need to be deleted.

Yeah ZSyncer is a work for me release. I dont need to do a sync from the destination to a source, and as long as I continue to use it never will. This may be a feature to add later, but currently I have no interest in changing this.

As I said, still the nicest product I found for zope. And this prove that xml-rpc is robust and fast. (I would say a *lot* faster than ftp for instance).

Thanks. -- Andy McKay.