+1 (and yes, don't care for backwards compatibility here. Security is more important)
Regards Felix On 11.08.2010 09:15, Mike Müller wrote: > Hi > > Wouldn't it be safer if this feature is turned off be default? > > best regards > mike > >> -----Original Message----- >> From: Eric Norman [mailto:[email protected]] >> Sent: Wednesday, August 11, 2010 2:57 AM >> To: [email protected] >> Subject: Re: User managment >> >> >> Hi Tony, >> >> Looks to me like you have discovered a bug. The self-reg >> enabled flag is >> not handled correctly when activating the component. >> >> I filed a new bug report >> (*SLING-1639<https://issues.apache.org/jira/browse/SLING-1639> >> )* to track the defect and I will fix it now. >> >> Regards, >> -Eric >> >> On Tue, Aug 10, 2010 at 11:08 AM, Tony Giaccone >> <[email protected]> wrote: >> >>> >>> I'm reading from the Sling web site: >>> >>> "The jackrabbit-usermanager bundle delivers a REST >> interface to create, >>> update and delete users...." >>> >>> And I have been able to successfully add a user, by >> executing the following >>> curl cmnd. >>> >>> curl -F:name=reader -Fpwd=ourReader -FpwdConfirm=ourReader >> -F"desc=Read >>> only access" >>> http://localhost:8080/sling/system/userManager/user.create.html >>> >>> Except that it seems that anyone at any time can post to >> this URL and >>> create a user. >>> >>> >>> So I looked at the configuration for that bundle and found >> a checkbox >>> labled: >>> >>> Self-Registration Enabled >>> >>> When selected, the anonymous user is allowed to >> register a new user >>> with the system. (self.registration.enabled) >>> >>> >>> And that checkbox was checked. So it seems that I should be >> able to uncheck >>> that box and prevent anonymous user creation. >>> >>> However, it doesn't work. I can still create new users as anonymous. >>> >>> What am I doing wrong? >>> >>> >>> Tony >> >
