Repository Security improvement - the default for creating a new repository should be restricted to admins until specifically configured.

2008-11-12T10:32:52
ID ATLASSIAN:FE-810
Type atlassian
Reporter javahollic
Modified 2009-03-10T04:15:59

Description

I just noticed that when setting up repositories, they were created with 'default' which mean if public sign up was on, they were able to see the repos. For the sake of security, a fresh install should default to restricting access to admins, perhaps through a default-created group 'admins'. Anon access should also default to the safe NO option.

Given that access to a repo enables complete tarball dumps, security must take precedence over any initial ease of use...