#107 - /api/attendees should be accessed only in a BasicAuth context,…

… from check-in operators and/or sponsors (cherry picked from commit 1d11e76)
alfio-event · Mar 21, 2016 · ba4924a · ba4924a
1 parent 2365e93
commit ba4924a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/main/java/alfio/config/WebSecurityConfig.java b/src/main/java/alfio/config/WebSecurityConfig.java
@@ -133,7 +133,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .antMatchers(ADMIN_API + "/**").hasAnyRole(ADMIN, OWNER)
                 .antMatchers("/admin/**/export/**").hasAnyRole(ADMIN, OWNER)
                 .antMatchers("/admin/**").hasAnyRole(ADMIN, OWNER, OPERATOR)
-                .antMatchers("/api/attendees/sponsor-scan").denyAll()
+                .antMatchers("/api/attendees/**").denyAll()
                 .antMatchers("/**").permitAll()
                 .and()
                 .formLogin()