[
https://issues.apache.org/jira/browse/ROL-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869005#comment-13869005
]
Glen Mazza commented on ROL-1983:
---------------------------------
OK, I checked, you're correct that I have to log into my blog first.
But right now, just as a vanilla JRoller blog owner (not a blog administrator),
by logging into my JRoller account I can see a shortened list of users (JRoller
has 1000s more people, mostly old and unused accounts though):
http://www.jroller.com/roller-ui/authoring/userdata/ . Of course, JRoller uses
Roller 3.1, so maybe this doesn't hold with 5.1 (I suspect it's the same issue
there though). But I should not have access to this information, because I
don't have access to the User Admin page (i.e., I'm not a blog admin), all the
other blog owners and their email addresses are none of my business -- the
above link should 404 for me.
Another problem with the above implementation is that I won't see *all* users
(as I should), but just the first 50 of them. This makes User Admin
unfunctionable, as you can't alter accounts beyond those first 50.
> stop using servlet call for user administration
> -----------------------------------------------
>
> Key: ROL-1983
> URL: https://issues.apache.org/jira/browse/ROL-1983
> Project: Apache Roller
> Issue Type: Task
> Components: User Management
> Affects Versions: 5.1
> Reporter: Glen Mazza
>
> For some reason the Roller user list is presently implemented via a servlet,
> allowing the list of blog users and email addresses to be publicly accessible
> for those accessing the URL. Goal here is to shut off the servlet and use a
> traditional Struts/JPA method of listing the users on the page, perhaps
> similar to our blog entry listing screen.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
