- **labels**: security, sf-current, sf-1 --> security, sf-1
--- ** [tickets:#7942] In project admin - user permissions, removing a custom group needs to use POST** **Status:** closed **Milestone:** unreleased **Labels:** security sf-1 **Created:** Thu Jul 30, 2015 02:14 PM UTC by Dave Brondsema **Last Updated:** Thu Jul 30, 2015 06:46 PM UTC **Owner:** Dave Brondsema Right now it uses GET, and is vulnerable to CSRF. --- Sent from forge-allura.apache.org because [email protected] is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
