#7942 In project admin - user permissions, removing a custom group needs to use POST

v1.3.1
closed
General
Heith Seewald
2015-08-10
2015-07-30
No

Right now it uses GET, and is vulnerable to CSRF.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-07-30
    • status: open --> review
    • assigned_to: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2015-07-30

    Fix on branch db/7942

     
  • Dave Brondsema

    Dave Brondsema - 2015-07-30
    • labels: security, sf-current --> security, sf-current, sf-1
     
  • Heith Seewald

    Heith Seewald - 2015-07-30
    • Reviewer: Heith Seewald
     
  • Heith Seewald

    Heith Seewald - 2015-07-30
    • status: review --> closed
     
  • Heith Seewald

    Heith Seewald - 2015-07-30

    Looks good.

     
  • Dave Brondsema

    Dave Brondsema - 2015-07-30
    • private: Yes --> No
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • labels: security, sf-current, sf-1 --> security, sf-1
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • Milestone: unreleased --> v1.3.1
     

Log in to post a comment.