[
https://issues.apache.org/jira/browse/ROL-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13868989#comment-13868989
]
Greg Huber commented on ROL-1983:
---------------------------------
Glen,
This is used in the ajax lists, checking the servlet web.xml we have
<servlet-mapping>
<servlet-name>UserDataServlet</servlet-name>
<url-pattern>/roller-ui/authoring/userdata/*</url-pattern>
</servlet-mapping>
and in the spring security we have:
<intercept-url pattern="/roller-ui/authoring/**" access="admin,editor"/>
ie matches
/roller-ui/authoring/userdata/*
pattern="/roller-ui/authoring/**"
Which implies that we need to have a role of admin or editor. This should not
be open to public access, but once logged in it would be to the session.
Cheers Greg.
> stop using servlet call for user administration
> -----------------------------------------------
>
> Key: ROL-1983
> URL: https://issues.apache.org/jira/browse/ROL-1983
> Project: Apache Roller
> Issue Type: Task
> Components: User Management
> Affects Versions: 5.1
> Reporter: Glen Mazza
>
> For some reason the Roller user list is presently implemented via a servlet,
> allowing the list of blog users and email addresses to be publicly accessible
> for those accessing the URL. Goal here is to shut off the servlet and use a
> traditional Struts/JPA method of listing the users on the page, perhaps
> similar to our blog entry listing screen.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
