Votes
For: 0 (0%)
Against: 0 (0%)
Total: 0
December 13, 2009 01:06 AM
Jeff
It seems the default setting is to let the Guest user submit new bug reports (at least, I don't see how I could have ever set this setting to True). This is a security problem, because it completely bypasses the need for authentification, spammers can just submit stuff like that without needing to be moderated or to even create an account.
I tried to check if this was indeed the default setting, but couldn't figure out by looking at the code.
I tried to check if this was indeed the default setting, but couldn't figure out by looking at the code.
December 13, 2009 01:17 AM
Robert
I agree that this shouldn't be the default, but it is not a security issue. You can change this in Administration --> Users & Permissions --> Usergroups --> Unregistered/Not Logged In [Edit] --> Can Submit Bugs --> NO.
On December 13, 2009 01:17 AM, Robert changed:
- Severity from "Major" to "Trivial"
On February 15, 2010 04:58 PM, Robert changed:
- Status from "Unconfirmed" to "Closed"
- Resolution from "Open" to "Won't Fix"
February 15, 2010 05:20 PM
Jeff
Well, I would argue that default settings like this *are* a security issue. Unless you manually review everything before starting to use bugdar, it completely defeats the (expected) purpose of the user accounts categories. What's the point in distinguishing guests from registered users by default if both can post spam?
You don't see PHP shipping with register_globals = True by default, for example. The expectation is that the default setting is to be secure, and that if you enable it, then you know what you're doing. This is like Windows shipping with world-writeable folder shares by default (or something along those lines).
You don't see PHP shipping with register_globals = True by default, for example. The expectation is that the default setting is to be secure, and that if you enable it, then you know what you're doing. This is like Windows shipping with world-writeable folder shares by default (or something along those lines).