https://sourceforge.net/p/forge/site-support/1658/ is set to private, but https://sourceforge.net/p/forge/site-support/_discuss/thread/d4066c48/ is accessible as an anonymous user.
We should check per-artifact ACLs for _discuss urls, or (perhaps even better), remove the _discuss URLs if they aren't used for anything. That needs to be tested though - e.g. moderation might use them, I've seen them after a form submit that doesn't work (antispam spinner timeout)
Log in to post a comment.