Details
-
Bug
-
Resolution: Won't Fix
-
Medium
-
4.4
-
None
-
4.04
-
Description
We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header.
This posts shows the use case
https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4
I believe it just as secure since web sudo is really design to stop some one using your browser (directly or via XSRF) to perform admin actions as you.
Scripts don't suffer this problem. The need your username and password to run at all.