[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.535.2.115
Jim Fulton
jim@zope.com
Tue, 10 Jun 2003 13:40:25 -0400
Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv16889
Modified Files:
Tag: Zope-2_6-branch
CHANGES.txt
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)
=== Zope/doc/CHANGES.txt 1.535.2.114 => 1.535.2.115 ===
--- Zope/doc/CHANGES.txt:1.535.2.114 Mon Jun 9 10:31:31 2003
+++ Zope/doc/CHANGES.txt Tue Jun 10 13:40:24 2003
@@ -6,6 +6,13 @@
Post-Zope 2.6.2 beta 2
+ Backward incompatabilities
+
+ - We no longer honor local security settings that would allow
+ someone to join or leave versions unless the location of the
+ settings is a folder directly or indirectly containing the
+ user's user folder.
+
Bugs Fixed
- Product initialization would only consult a file named "version.txt"
@@ -19,6 +26,13 @@
- Collector #928: DateIndex ignored timezones when indexing and
querying
+
+ - Any write request could be tricked into writing into a version
+ be setting a version cookie or by including a version name in
+ the request. Now we require the user to globally have
+ permission to join or leave versions to run a request in a
+ version.
+
Zope 2.6.2 beta 2