[Zope-dev] Re: small summary and big plea was:(Re: Versions: should they die?)

[Jim Fulton]

Shane Hathaway wrote:
> Brian Lloyd wrote:
> 
>> FYI - we plan for this to be fixed in 2.6.2, preferably by fixing
>> the version machinery to require the "join / leave versions"
>> permission (which is assigned only to managers by default.
> 
> 
> It will be interesting to find out how this can be accomplished.  To use 
> a version, you have to specify the version at the time of opening the 
> database.  Before opening the database, the application has no access to 
> user accounts, let alone security settings.

Right, but you can always abort the transaction later.

I simply added some logic in the zpublisher_validated_hook
to check if the request includes the version variable and, if so,
to check whether the user has the join/leave version permission
*globally*.  If they don't, I clear the cookie and raise unauthorized.

Unfortunately, this is not backward compatible because, with this change,
a user can't be given a local role that lets them join/leave versions.

Jim


-- 
Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (703) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org