Phil Holmes wrote Saturday, May 16, 2015 11:17 AM
>
>> Trevor Daniels wrote Tuesday, May 12, 2015 9:15 PM
>>
>>> I'm sure we'll find some undesirable features of Allura when we get down 
>>> to the details, but that's what the next few weeks will tell us.
>>
>> I've pretty well completed my assessment of Allura at SourceForge, and 
>> find the facilities available pretty well match our needs, in fact they 
>> are surprisingly similar to those at GoogleCode.  There are some 
>> differences but none which we can't live with.  So far so good.
>>
>> However, there is a show-stopper concerning the integrity of the Issues 
>> discussions recorded in the tracker.  Each item in the discussion has an 
>> owner, and this is set to Anonymous during the import, since the original 
>> owner is not recognised as a SourceForge account-holder.  This in itself 
>> is not a serious problem, as the correct owner is recorded in the text of 
>> the message.  However, owners of discussion messages are always permitted 
>> to edit them, irrespective of the permission settings, and I can find no 
>> way of preventing this.  That means Anonymous, which is any not-logged-in 
>> user, i.e. anyone, will be able to edit, accidently or maliciously, any 
>> and all discussion entries in our Issues DB.
>>
>> I've reported this to the SourceForge maintainers:
>> https://sourceforge.net/p/forge/site-support/10317/
> 
> 
> Good detective work.  This might be a pain, but don't think it's a 
> show-stopper: there's no evidence it would actually happen.  If it becomes a 
> problem, we might well be able to get a script to update the owners?

Unless the developers accept the weakness and fix it I guess we have
no choice.  At least new posts by SF account-holders, i.e developers and
users who choose to register, will be properly protected.

Re a script: it's possible for an admin or dev to change the owner of the 
original ticket via the online interface, but I can see no way to 
change the owner of a subsequent post, neither online as an administrator 
nor via the API.

Trevor
_______________________________________________
lilypond-devel mailing list
lilypond-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-devel

Reply via email to