[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.621
Jim Fulton
jim@zope.com
Wed, 11 Jun 2003 15:32:01 -0400
Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv7967/doc
Modified Files:
CHANGES.txt
Log Message:
Changed the zpublisher_validated_hook to check whether the request
contains a version name. If it does, then we check whether the user
globally has permission to join/leave versions. If they don't, we
clear cookie and raise Unauthorized. This will abort any changes that
might have been made during traversal. (If some traversal code makes
changes and commits them, then we still lose and probably deserve to.)
=== Zope/doc/CHANGES.txt 1.620 => 1.621 ===
--- Zope/doc/CHANGES.txt:1.620 Wed Jun 11 13:36:46 2003
+++ Zope/doc/CHANGES.txt Wed Jun 11 15:31:30 2003
@@ -126,6 +126,12 @@
handling that would always break if the first argument was not
an extension class because the second argument was a type.
+ - Any write request could be tricked into writing into a version
+ be setting a version cookie or by including a version name in
+ the request. Now we require the user to globally have
+ permission to join or leave versions to run a request in a
+ version.
+
Zope 2.6.1 beta 2