On 9/10/10 3:41 PM, Ian Boston wrote: > > On 11 Sep 2010, at 04:28, Mike Moulton wrote: > >>> I can't speak to whether this was by intent or not, but I would >>> definitely recommend preventing anonymous access to /system. Beyond >>> that, it gets very application-specific quickly. > > That might be a bit too much as there are things under /system that anon > users need access to. > login end points and anything not real content. > > We have been using /system for those sorts of things, and where there is any > connection to content urls starting /_* > > The usermanager urls certainly do need to be restricted, especially the list > and locate functions admin only I suspect. > > Ian
Yeah. I misspoke. I meant /system/userManager, not just /system. Justin
