On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <[EMAIL PROTECTED]> wrote:
> The last release is 9 months and no one has been done since the TLP > graduation. > I'd like to release continuum 1.2. > We fixed 128 issues : > http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create > > The staging repo is here : http://people.apache.org/~olamy/staging-repo/ If you're using project group permissions, there's a fairly serious security issue in 1.2. Any project group admin can grant roles all the way up to system administrator, to himself and others. (CONTINUUM-1867) I'm conflicted about releasing this as-is. On one hand, if you're depending on the roles to prevent access to projects, it's seriously broken. On the other hand... most people I've talked to aren't using this feature, and even if the roles *are* working, any developer can check in a script, which runs as the Continuum user, and do pretty much anything they want. Thoughts? -- Wendy
