Anonymous users can edit tickets created by others

[cstrobbe]

Recently, I have noticed that an anonymous user managed to edit feature requests that were created by a project admin. This happened in a project where feature-requests Permissions are as follows: anonymous users are allowed to READ, POST and CREATE, but not to update feature requests.

Is there a bug in SourceForge or am I overlooking a setting? This is very annoying because it is being abused by spammers.

[ctsai]

Greetings,

Is this regarding odt2braille? Your co-admin logged another ticket on this issue where we recommended to him to edit the permissions. At the time the edits were made, it's likely that bertfrees hadn't edited the permissions yet.

Please review that correspondence and let me know if you concur with my assessment.

Thanks,
Chris Tsai, SourceForge.net Support

[bertfrees]

Hi Christophe,

You probably looked at the permissions after I changed them. Now we shouldn't get any spam anymore. The other issue I mentioned is still being investigated by the SourceForge team. (Sometimes when I edit or reply to a feature request, all the other replies disappear.)

Bert

[cstrobbe]

Hi Bert, Chris,

Unfortunately, the spam problem has not disappeared: I still get moderation requests for spam from an anonymous user who has overwritten the content of a feature request (i.e. its summary, description and label). See <https://sourceforge.net/p/odt2braille/feature-requests/37/>.

Christophe

[ctsai]

Seems the remigration left some duplicate records in the database which is causing issues with the permissions working properly. The team is going to clean this up and I'll let you know when this is fixed.

Regards,
Chris Tsai, SourceForge.net Support

[ctsai]

Greetings,

The duplicate records are fixed, however the tickets still seem to be anonymously editable so we've reopened this issue here: https://sourceforge.net/p/allura/tickets/4829/

Regards,
Chris Tsai, SourceForge.net Support

[naif123]

hacker yemen