[Zope] Security: allow manage_changeProperties globally

[Milos Prudek]

If "Manage properties" permission is allowed for Anonymous, is it a 
security breach?

In other words, is it possible to put manage_changeProperties in a URL?

I tried 
http://www.somewhere.com/somedocument/manage_changeProperties?title=xxx, 
it run successfully but title remained intact...

I need to increment a document property "number of readers". Is it safer 
to disable "Manage properties" for Anonymous and to assign Proxy role 
"Manager" to the method that calls manage_changeProperties and 
increments number of readers?


-- 
Milos Prudek