Apache Allura™ / Tickets / #5887 Per-artifact ACLs not checked on

#5887 Per-artifact ACLs not checked on _discuss URLs

Milestone: v1.0.0

Status: closed

Owner: Dave Brondsema

Labels: p1 (4) security (36) sf-2 (994)

Component: General

Reviewer: nobody

Updated: 2015-08-20

Created: 2013-02-26

Creator: Dave Brondsema

Private: No

https://sourceforge.net/p/forge/site-support/1658/ is set to private, but https://sourceforge.net/p/forge/site-support/_discuss/thread/d4066c48/ is accessible as an anonymous user.

We should check per-artifact ACLs for _discuss urls, or (perhaps even better), remove the _discuss URLs if they aren't used for anything. That needs to be tested though - e.g. moderation might use them, I've seen them after a form submit that doesn't work (antispam spinner timeout)

Discussion

Dave Brondsema - 2013-02-26

status: open --> in-progress

assigned_to: Dave Brondsema

size: --> 2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-02-26

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-02-26

allura:db/5887

Make a ticket private, and ensure that its _discuss thread URL is no longer accessible anonymously. Also, prefix /rest/ in the URL and it shouldn't be accessible either.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2013-02-26

status: code-review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-02-26

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#5887 Per-artifact ACLs not checked on _discuss URLs

Discussion