Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proget v5.8.3 anonymous user can create feed
-
In the proget free version, in v5.8.3 (docker image), when an anonymous user has only ViewFeed permission, he can somehow still create feeds when he is not logged in. That does not make sense. Any idea why this behaviour ?
Any way I can allow the anonymous user to view feeds but not being able to create it.
If I go into proget.inedo.com I notice the correct behaviour. I am anonymous and if i try to create a feed it will redirect me to the login page.
-
Hello;
Thanks for the bug report! I've logged this as PG-1801, and it will get shipped in the next maintenance release.
Cheers,
Alana
-
Thank you and will be waiting for the release since its quite a security problem.
-
Definitely, it will be in the next release.
We don't consider it a serious security vulnerability; unprivileged users can create new feeds, but they can't view or use them. Obviously it has potential for "vandalism" (we see already some test feeds created on our public instance, for example
), so we will take care of it right away.
-
I just wanted to let you know that this was released in 5.3.10. Please let us know if there are still any issues with this.
Thanks,
Rich
-
@rhessinger The issue was solved with v5.3.10 release. Thank you.
