roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Huber (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ROL-1983) Only expose AJAX User List Servlet to admin users
Date Mon, 27 Jan 2014 12:31:38 GMT

    [ https://issues.apache.org/jira/browse/ROL-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13882781#comment-13882781
] 

Greg Huber commented on ROL-1983:
---------------------------------

Glen,

Can you check Committed revision 1561651.  We missed the roller invite option, Preferences
| Members and Invite new member link.

I have re-done the mod, it shows the member screen name rather than the email address for
non admin users.

Cheers Greg.



> Only expose AJAX User List Servlet to admin users
> -------------------------------------------------
>
>                 Key: ROL-1983
>                 URL: https://issues.apache.org/jira/browse/ROL-1983
>             Project: Apache Roller
>          Issue Type: Task
>          Components: User Management
>    Affects Versions: 5.1, 5.0.3
>            Reporter: Glen Mazza
>            Assignee: Glen Mazza
>             Fix For: 5.1, 5.0.4
>
>
> For some reason the Roller user list is presently implemented via a servlet, allowing
the list of blog users and email addresses to be publicly accessible for those accessing the
URL.  Goal here is to shut off the servlet and use a traditional Struts/JPA method of listing
the users on the page, perhaps similar to our blog entry listing screen.
> UPDATE: there's nothing wrong with using a Servlet for this AJAX operation, but we should
only expose the Servlet to those who are logged into Roller as site admins.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message