Return-Path: Delivered-To: apmail-maven-continuum-dev-archive@www.apache.org Received: (qmail 89390 invoked from network); 26 Dec 2006 16:40:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Dec 2006 16:40:07 -0000 Received: (qmail 80598 invoked by uid 500); 26 Dec 2006 16:40:13 -0000 Delivered-To: apmail-maven-continuum-dev-archive@maven.apache.org Received: (qmail 80573 invoked by uid 500); 26 Dec 2006 16:40:13 -0000 Mailing-List: contact continuum-dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: continuum-dev@maven.apache.org Delivered-To: mailing list continuum-dev@maven.apache.org Received: (qmail 80562 invoked by uid 99); 26 Dec 2006 16:40:13 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Dec 2006 08:40:13 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jesse.mcconnell@gmail.com designates 66.249.82.229 as permitted sender) Received: from [66.249.82.229] (HELO wx-out-0506.google.com) (66.249.82.229) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Dec 2006 08:40:04 -0800 Received: by wx-out-0506.google.com with SMTP id t14so4061465wxc for ; Tue, 26 Dec 2006 08:39:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=q3wxSKxd23RtoFUe7mUUL78Z3AMPhzFrpsqti+EISHyzNOBo14X5NEbaT9Yc9PzR70mDcGhCvky3DulVXp5fao35TPB9jn+a7ky8LAbzzhM2HrvzKo78mkeTKsOmDrAJc6U8QqQ6ggnyHF3OLONArmUfH12I9UwhHFSEbd425mc= Received: by 10.90.94.2 with SMTP id r2mr11142364agb.1167151183470; Tue, 26 Dec 2006 08:39:43 -0800 (PST) Received: by 10.90.49.3 with HTTP; Tue, 26 Dec 2006 08:39:43 -0800 (PST) Message-ID: Date: Tue, 26 Dec 2006 13:39:43 -0300 From: "Jesse McConnell" To: continuum-dev@maven.apache.org Subject: Re: "Add project group" button not protected from unauthenticated users. In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <456C9F09.4030301@israfil.net> X-Virus-Checked: Checked by ClamAV on apache.org there are a number of things along these lines that I noticed in an little audit of the action classes that I noticed. Once rahul and I get the key based refactor wrapped up I think we'll try and link up with some work jason has been kicking around to improve the UI and xmlrpc code interface and security wise in one swoop. jesse On 12/26/06, Wendy Smoak wrote: > On 11/28/06, Christian Edward Gruber wrote: > > > Hey. Just FYI, in the trunk the unauthenticated user (and other > > logged-in, unempowered users) can create new project groups. > > Thanks, this appears to be fixed in the latest code. (The 'Add > project group' button no longer appears.) > > -- > Wendy > -- jesse mcconnell jesse.mcconnell@gmail.com