I have just noticed a serious security issue, concerning group maintenance.
When logging in and viewing the group topic for the TWikiAdminGroup
I can edit the group settings by using the "Edit TWikiAdminGroup
settings" button, even if I am not logged in as admin or not part of the group.
When trying to edit the whole topic using edit function, then the action is denied correctly.
Like this any user can make himself an AdminGroupMember
Sorry, but I raised this item too early, I was irritated, that the fields become editable, but TWiki denies update correctly when trying to save the values.
Please close this item
I have set status to "No Action Required"
Yes, protected on save. And the edit issue has also been fixed in the latest TWiki-5.1.3 release.