Reported by Ciaran Gultnieks, Mar 24, 2009
Unless I misunderstand, there is no need to add an auth token to the timeline feed URL for a project unless the project is private. Currently it's added regardless, if the user is logged in. This adds an unnecessary risk of the user accidentally exposing the token, and will also mean that the URL will become invalid if the user changes their password.
Comment 1 by Ciaran Gultnieks, Mar 24, 2009
Patch attached that makes it only add the token if the project is private, which I think is the correct logic.
Comment 2 by Loïc d'Anterroches, Mar 26, 2009
It is a bit more complicated as you need to take into account if a tab is available only to project members or admins. But the approach is good from a security point of view. I will push the check if needed or not in the IDF_Project object as it will be needed for the other feeds.
Comment 3 by Loïc d'Anterroches, Oct 8, 2009
Fixed in commit e5934e0, thanks for your patience. I have added the isRestricted method on the IDF_Project object to make the check.