1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in

Ticket #26790 (assigned)

Opened 21 months ago

Last modified 20 months ago

Anonymous users can edit tickets created by others

Reported by: cstrobbe Owned by: ctsai
Keywords: ENGR NF-4829 FORGE P3 Cc:
Private: no

Description

Recently, I have noticed that an anonymous user managed to edit feature requests that were created by a project admin. This happened in a project where feature-requests Permissions are as follows: anonymous users are allowed to READ, POST and CREATE, but not to update feature requests.

Is there a bug in SourceForge or am I overlooking a setting? This is very annoying because it is being abused by spammers.

Attachments

صورة 024.jpg (28.6 KB) - added by naif123 14 months ago.
hacker yemen

Change History

Changed 21 months ago by ctsai

  • keywords PEND added; spam, permissions removed
  • owner set to ctsai
  • status changed from new to assigned

Greetings,

Is this regarding odt2braille? Your co-admin logged another ticket on this issue where we recommended to him to edit the permissions. At the time the edits were made, it's likely that bertfrees hadn't edited the permissions yet.

Please review that correspondence and let me know if you concur with my assessment.

Thanks,
Chris Tsai, SourceForge.net Support

Changed 21 months ago by bertfrees

Hi Christophe,

You probably looked at the permissions after I changed them. Now we shouldn't get any spam anymore. The other issue I mentioned is still being investigated by the SourceForge team. (Sometimes when I edit or reply to a feature request, all the other replies disappear.)

Bert

Changed 21 months ago by cstrobbe

Hi Bert, Chris,

Unfortunately, the spam problem has not disappeared: I still get moderation requests for spam from an anonymous user who has overwritten the content of a feature request (i.e. its summary, description and label). See <https://sourceforge.net/p/odt2braille/feature-requests/37/>.

Christophe

Changed 21 months ago by ctsai

  • keywords PEND removed

Seems the remigration left some duplicate records in the database which is causing issues with the permissions working properly. The team is going to clean this up and I'll let you know when this is fixed.

Regards,
Chris Tsai, SourceForge.net Support

Changed 20 months ago by ctsai

  • keywords ENGR NF-4829 FORGE P3 added

Greetings,

The duplicate records are fixed, however the tickets still seem to be anonymously editable so we've reopened this issue here: https://sourceforge.net/p/allura/tickets/4829/

Regards,
Chris Tsai, SourceForge.net Support

Changed 14 months ago by naif123

hacker yemen

Note: See TracTickets for help on using tickets.