Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 431069

Summary: [pmi] "invalidate" URL is not protected
Product: Community Reporter: Wayne Beaton <wayne.beaton>
Component: Project Management & PortalAssignee: Portal Bugzilla Dummy Inbox <portal-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3    
Version: unspecified   
Target Milestone: 2014-Q1   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Wayne Beaton CLA 2014-03-24 22:13:33 EDT 
The invalidate URL is a bit misleading. The user identity (e.g. /user/wbeaton) is part of the URL, but that information is ignored by the implementation, which just invalidates the current user's CLA regardless of the user identified.

It makes no sense for one user to attempt to invalidate the CLA of another, so in order to avoid potential confusion, we should put access protections on it to allow a user to only attempt the invalidation of their own CLA.
Comment 1 Wayne Beaton CLA 2014-03-24 22:13:42 EDT 
Fixed