Details
-
Suggestion
-
Resolution: Fixed
-
None
-
None
Description
In Bamboo admin section, in the Global Permissions section I enabled ACCESS for Anonymous users.
On one Plan, Anonymous users have View permissions for the plan. If as that anonymous user I navigate to the Plan and then paste a URL into my browser bar for deleting a comment it allows me to Delete the Plan Comment.
/build/ajax/deleteComment.action?commentId=4784131&buildKey=BAMBOO-TASKS&buildNumber=1
I would not think that an anonymous user, even with view permissions to the Plan, should be able to delete a comment.