I'm looking at the tail end of a 14 hour work day today. It's been a very long time since I've done that. Wound up reworking part of Ganymede's permissions system. I had left a hole in the permissions system, where the "built-in" fields that all objects automatically have (Owner List, Notes, Expiration Date, Removal Date) did not have their permissions tracked independently of the object as a whole. That meant that if an end user was allowed to edit an object to change their password, that end user was also capable of mucking with those four fields.
Bad, dumb, silly, senseless. But I fixed it good, and put in a number of explicit permissions rules in the server that will make everything a lot safer in the presence of a malicious client. In general, I've been very good about making the server not trust the client for anything, but there were some subtle aspects to the permission rules that assumed good behavior on the client's part rather than being explicitly enforced. No more.
So.. a good, old-fashioned late night hack session, with lots of good music (Morcheeba, the soundtrack to Trainspotting) cranked up way louder than I can do when I'm not the only engineering staff member in the building. And I've got some good changes that will make version 1.0.5 worthwhile soon, yay.