small summary and big plea was:(Re: [Zope-dev] Versions: should
they die?)
Chris Withers
chrisw@nipltd.com
Tue, 10 Jun 2003 13:21:27 +0100
Shane Hathaway wrote:
>
> My opinion on this is a little different. It's quite easy for anyone to
> make mischief on any Zope server that lets people make even minor
> changes to the site, such as giving feedback, posting a discussion item,
> etc. All you have to do is include a Zope-Version cookie in the request
> and your changes will place a lock on any objects that the request
> touches. Zope doesn't even check the validity of the Zope-Version
> cookie. Anyone who is not a ZODB expert would have a hard time bringing
> the site back to sanity.
This was my fear, and it's pretty shocking.
Maybe Oliver should do just such a thing on both collector.zope.org and
zope.org, or maybe cbsnewyork.com to prove a point and then this issue will get
the attention is deserves ;-)
(not Squishdot.org please, I'm not a ZODB expert and I don't haev the expertise
to fix this bug :-S)
> I think 2.6 ought to fix this by disabling recognition of the
> Zope-Version cookie and disabling the creation of Version objects, with
> an option to re-enable.
Yes indeed!
Chris