I think so. This definitely feels like more than 2.
--- ** [tickets:#7685] Subscribe/unsubscribe action should use POST** **Status:** closed **Milestone:** unreleased **Labels:** 42cc sf-current sf-2 **Created:** Tue Sep 16, 2014 05:35 AM UTC by Igor Bondarenko **Last Updated:** Wed Jul 22, 2015 03:52 PM UTC **Owner:** Igor Bondarenko Currently all of subscribe/unsubscribe buttons (in the topbar of any tool's page and in the wiki sidebar) are using GET to make an action. Their should require POST to avoid CSRF. See also discussion at [#4905] --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
