[Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products

[Chris McDonough]

Bummer. :-(  It really seems like the help system should just be 
rewritten.  The fact that it applies the dreaded "write on read" 
pattern, uses persistent objects and the catalog to provide help has 
been a thorn in our side for a while.  I think we should just come up 
with a much simpler help system that doesn't provide any sort of search 
capability that reads the help files from disk rather than spend much 
time fixing this problem.

Ivo van der Wijk wrote:
> Hi,
> 
> I'm sorry to repost my question here, but noone seems to be able to give
> me any information on the standard Zope mailinlist.
> 
> I still do, however, find the problem described below annoying, and it could
> be even considered a security bug (somewhat), or at least a Help page DOS :)
> 
> 


-- 
Chris McDonough                    Zope Corporation
http://www.zope.org             http://www.zope.com
"Killing hundreds of birds with thousands of stones"