[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.535.2.115

Jim Fulton jim@zope.com
Tue, 10 Jun 2003 13:40:25 -0400


Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv16889

Modified Files:
      Tag: Zope-2_6-branch
	CHANGES.txt 
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)


=== Zope/doc/CHANGES.txt 1.535.2.114 => 1.535.2.115 ===
--- Zope/doc/CHANGES.txt:1.535.2.114	Mon Jun  9 10:31:31 2003
+++ Zope/doc/CHANGES.txt	Tue Jun 10 13:40:24 2003
@@ -6,6 +6,13 @@
   
   Post-Zope 2.6.2 beta 2
 
+    Backward incompatabilities
+
+      - We no longer honor local security settings that would allow
+        someone to join or leave versions unless the location of the
+        settings is a folder directly or indirectly containing the
+        user's user folder.
+
     Bugs Fixed
 
       - Product initialization would only consult a file named "version.txt"
@@ -19,6 +26,13 @@
 
       - Collector #928: DateIndex ignored timezones when indexing and
         querying
+
+      - Any write request could be tricked into writing into a version
+        be setting a version cookie or by including a version name in
+        the request.  Now we require the user to globally have
+        permission to join or leave versions to run a request in a
+        version.
+
 
   Zope 2.6.2 beta 2