#5887 Per-artifact ACLs not checked on _discuss URLs

v1.0.0
closed
General
nobody
2015-08-20
2013-02-26
No

https://sourceforge.net/p/forge/site-support/1658/ is set to private, but https://sourceforge.net/p/forge/site-support/_discuss/thread/d4066c48/ is accessible as an anonymous user.

We should check per-artifact ACLs for _discuss urls, or (perhaps even better), remove the _discuss URLs if they aren't used for anything. That needs to be tested though - e.g. moderation might use them, I've seen them after a form submit that doesn't work (antispam spinner timeout)

Discussion

  • Dave Brondsema

    Dave Brondsema - 2013-02-26
    • status: open --> in-progress
    • assigned_to: Dave Brondsema
    • size: --> 2
     
  • Dave Brondsema

    Dave Brondsema - 2013-02-26
    • status: in-progress --> code-review
     
  • Dave Brondsema

    Dave Brondsema - 2013-02-26

    allura:db/5887

    Make a ticket private, and ensure that its _discuss thread URL is no longer accessible anonymously. Also, prefix /rest/ in the URL and it shouldn't be accessible either.

     
  • Cory Johns

    Cory Johns - 2013-02-26
    • status: code-review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2013-02-26
    • private: Yes --> No
     

Log in to post a comment.