Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, deshani, dill0wn, and 10 others

#7942 In project admin - user permissions, removing a custom group needs to use POST

Milestone: v1.3.1

Status: closed

Owner: Dave Brondsema

Labels: security (34) sf-1 (616)

Component: General

Reviewer: Heith Seewald

Updated: 2015-08-10

Created: 2015-07-30

Creator: Dave Brondsema

Private: No

Right now it uses GET, and is vulnerable to CSRF.

Discussion

Dave Brondsema - 2015-07-30

status: open --> review

assigned_to: Dave Brondsema
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-07-30

Fix on branch db/7942

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-07-30

labels: security, sf-current --> security, sf-current, sf-1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-07-30

Reviewer: Heith Seewald
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-07-30

status: review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-07-30

Looks good.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-07-30

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-08-10

labels: security, sf-current, sf-1 --> security, sf-1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-08-10

Milestone: unreleased --> v1.3.1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.