I added SLING-1642 for tracking and changed the default (+fixed the affected integration tests) in revision 984646.
Please verify when you get a chance. Regards, Eric On Wed, Aug 11, 2010 at 6:18 AM, Felix Meschberger <[email protected]>wrote: > +1 (and yes, don't care for backwards compatibility here. Security is > more important) > > Regards > Felix > > On 11.08.2010 09:15, Mike Müller wrote: > > Hi > > > > Wouldn't it be safer if this feature is turned off be default? > > > > best regards > > mike > > > >> -----Original Message----- > >> From: Eric Norman [mailto:[email protected]] > >> Sent: Wednesday, August 11, 2010 2:57 AM > >> To: [email protected] > >> Subject: Re: User managment > >> > >> > >> Hi Tony, > >> > >> Looks to me like you have discovered a bug. The self-reg > >> enabled flag is > >> not handled correctly when activating the component. > >> > >> I filed a new bug report > >> (*SLING-1639<https://issues.apache.org/jira/browse/SLING-1639> > >> )* to track the defect and I will fix it now. > >> > >> Regards, > >> -Eric > >> > >> On Tue, Aug 10, 2010 at 11:08 AM, Tony Giaccone > >> <[email protected]> wrote: > >> > >>> > >>> I'm reading from the Sling web site: > >>> > >>> "The jackrabbit-usermanager bundle delivers a REST > >> interface to create, > >>> update and delete users...." > >>> > >>> And I have been able to successfully add a user, by > >> executing the following > >>> curl cmnd. > >>> > >>> curl -F:name=reader -Fpwd=ourReader -FpwdConfirm=ourReader > >> -F"desc=Read > >>> only access" > >>> http://localhost:8080/sling/system/userManager/user.create.html > >>> > >>> Except that it seems that anyone at any time can post to > >> this URL and > >>> create a user. > >>> > >>> > >>> So I looked at the configuration for that bundle and found > >> a checkbox > >>> labled: > >>> > >>> Self-Registration Enabled > >>> > >>> When selected, the anonymous user is allowed to > >> register a new user > >>> with the system. (self.registration.enabled) > >>> > >>> > >>> And that checkbox was checked. So it seems that I should be > >> able to uncheck > >>> that box and prevent anonymous user creation. > >>> > >>> However, it doesn't work. I can still create new users as anonymous. > >>> > >>> What am I doing wrong? > >>> > >>> > >>> Tony > >> > > > >
