allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <d...@brondsema.net>
Subject [allura:tickets] #7942 In project admin - user permissions, removing a custom group needs to use POST
Date Mon, 10 Aug 2015 14:28:33 GMT
- **labels**: security, sf-current, sf-1 --> security, sf-1



---

** [tickets:#7942] In project admin - user permissions, removing a custom group needs to use
POST**

**Status:** closed
**Milestone:** unreleased
**Labels:** security sf-1 
**Created:** Thu Jul 30, 2015 02:14 PM UTC by Dave Brondsema
**Last Updated:** Thu Jul 30, 2015 06:46 PM UTC
**Owner:** Dave Brondsema


Right now it uses GET, and is vulnerable to CSRF.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message