Issue 650: security is too permissive for public sites.

New issue report by [EMAIL PROTECTED]:
I'm not sure if this is a defect or an enhancement request, but I see it
as a defect...

If a user is not logged in they can view all diffs and review requests.
We run review board on a private network so this is not a huge concern for
us, but it is a blocker for me to consider using RB on a distributed
project where my developers need to use RB over the public internet.

Admittedly, the home page does not show you any information if you are not
logged in, but if you on the click on the "All review requests", you do
see the full list of reviews and you can view them.

*NOTE: Do not post confidential information in this bug report.*

What's the URL of the page containing the problem?
Anything in RB.

What steps will reproduce the problem?
1. Make sure you are not logged in.
2. Go to your RB server http://RB/r
3. click the link for a review and view all of the proprietary IP.

What is the expected output? What do you see instead?
Any page you attempt to view when not logged in should do what the
dashboard homepage does and only display the login dialog.

What operating system are you using? What browser?
Server is running on a Linux box.  It is not a browser issue, this happens
on all browser platforms that I have checked (OSX & PC, ff3, safari, IE).

Please provide any additional information below.

Issue attributes:
        Status: New
        Owner: ----
        Labels: Type-Defect Priority-Medium

You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at

Reply via email to