Enhancing overall security for the application seems pretty important to me.
I have (today in the SVN) modified the wait applications are authentified. Meaning the default rule is they need authentication.
For the meantime, apart from modifying the code there is no way to permit unidentified pages.
There should be some sort of list of unauthenticated pages (which is hard coded in sys/include.inc for the meantime)
Anonymous
Logged In: YES
user_id=1619409
Originator: YES
I have done the minimum I excpected, I will robably rethink about secutity later on