On Sep 3, 12:13 am, "erik.mossberg" <[email protected]> wrote: > Are we supposed to give XML_RPC to anonymous? > > I would prefer to give to only authenticated, but perhaps this does > not mean the security hole it appears to mean. >
XML_RPC permission is required to be allowed to make any API call. Then each method will further check its permssions depending on what it requires - and as of recent plugin version that also includes permssions as enforced by regular Trac security policy plugins whereever that makes sense. An API user should not be able to do things through API that he/she isn't allowed to do using a browser. :::simon https://www.coderesort.com http://www.ohloh.net/accounts/osimons --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
