[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.481

Chris McDonough chrism@zope.com
Tue, 11 Jun 2002 14:47:45 -0400


Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv6139

Modified Files:
	CHANGES.txt 
Log Message:



=== Zope/doc/CHANGES.txt 1.480 => 1.481 ===
     new Features:
 
+      - A new permission "Copy or Move" was added.  This permission
+        may be used respective to an object to prevent objects
+        from being copyable or movable while within the management
+        interface.  The "old" behavior stipulated that users whom
+        possessed the "View management screens" permission to an object's
+        container could copy or move the object arbitrarily, even if they
+        had limited access to the object itself.  Once the object was
+        moved or copied, the user became the owner of the new object,
+        allowing them to see potentially sensitive information in
+        the management interface for the object itself.  This permission
+        is granted to Manager and Anonymous by default, and must be
+        revoked on an object-by-object basis if site managers intend
+        to provide management screen access to folders which contain
+        sensitive subobjects.  This patch came as a result of 
+        Collector #376 (thanks to Chris Deckard).
+
       - Structured Text's "DocumentWithImages" class did not recognize
         image filenames with underscores.