On 11 Sep 2010, at 04:28, Mike Moulton wrote: >> I can't speak to whether this was by intent or not, but I would >> definitely recommend preventing anonymous access to /system. Beyond >> that, it gets very application-specific quickly.
That might be a bit too much as there are things under /system that anon users need access to. login end points and anything not real content. We have been using /system for those sorts of things, and where there is any connection to content urls starting /_* The usermanager urls certainly do need to be restricted, especially the list and locate functions admin only I suspect. Ian
