[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.621

Jim Fulton jim@zope.com
Wed, 11 Jun 2003 15:32:01 -0400


Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv7967/doc

Modified Files:
	CHANGES.txt 
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)



=== Zope/doc/CHANGES.txt 1.620 => 1.621 ===
--- Zope/doc/CHANGES.txt:1.620	Wed Jun 11 13:36:46 2003
+++ Zope/doc/CHANGES.txt	Wed Jun 11 15:31:30 2003
@@ -126,6 +126,12 @@
        handling that would always break if the first argument was not
        an extension class because the second argument was a type.
 
+     - Any write request could be tricked into writing into a version
+       be setting a version cookie or by including a version name in
+       the request.  Now we require the user to globally have
+       permission to join or leave versions to run a request in a
+       version.
+
 
   Zope 2.6.1 beta 2