You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2015/07/30 20:46:42 UTC
[allura:tickets] #7942 In project admin - user permissions,
removing a custom group needs to use POST
- **private**: Yes --> No
---
** [tickets:#7942] In project admin - user permissions, removing a custom group needs to use POST**
**Status:** closed
**Milestone:** unreleased
**Labels:** security sf-current sf-1
**Created:** Thu Jul 30, 2015 02:14 PM UTC by Dave Brondsema
**Last Updated:** Thu Jul 30, 2015 04:21 PM UTC
**Owner:** Dave Brondsema
Right now it uses GET, and is vulnerable to CSRF.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.