steps to reproduce: 1. Tester is not signed in 2. Go to the review lists page for an app on your Firefox OS phone 3. Click on Report for one of the listed reviews expected behavior: Report link is not available for anonymous users observed behavior: Report link is available to anonymous users POST /api/v1/apps/rating/447944/flag/?dev=firefoxos&format=json&lang=en-US&pro=fbffffdc.32.1&region= HTTP/1.1 Host: marketplace-altdev.allizom.org User-Agent: Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://marketplace-altdev.allizom.org/app/airbnb/ratings Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 35 Cookie: lang="en-US\054"; region=us; carrier=telefonica; __utma=106266271.1957641494.1367809669.1367809669.1367809669.1; __utmb=106266271.12.10.1367809669; __utmc=106266271; __utmz=106266271.1367809669.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Pragma: no-cache active [7] { handler=47de7240 condition=0 pollflags=5 } active [6] { handler=47de74a0 condition=0 pollflags=5 } active [5] { handler=49eec7b0 condition=0 pollflags=5 } Cache-Control: no-cache ] I/PRLog ( 108): 2013-05-06 03:22:16.281537 UTC - 766400[42dfdf00]: nsHttpTransaction::HandleContentStart [this=4ba947c0] Duration: 0.252 4ba947c0 (marketplace-altdev.allizom.org -> POST /api/v1/apps/rating/447944/flag/?dev=firefoxos&format=json&lang=en-US&pro=fbffffdc.32.1&region=) http response [ HTTP/1.1 401 UNAUTHORIZED X-API-Version: 1 Server: gunicorn/0.17.4 Vary: X-API-Filter, X-Requested-With, Accept-Language, Cookie, X-Mobile, User-Agent, Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Access-Control-Expose-Headers: X-API-Filter, X-API-Status, X-API-Version Strict-Transport-Security: max-age=2592000 Date: Mon, 06 May 2013 03:22:15 GMT Transfer-Encoding: chunked Access-Control-Allow-Origin: * X-Content-Security-Policy-Report-Only: policy-uri /services/csp/policy?build=8585 Via: Moz-pp-zlb09 Connection: keep-alive X-API-Filter: carrier=telefonica&device=gaia&lang=en-US&region=us Set-Cookie: multidb_pin_writes=y; expires=Mon, 06-May-2013 03:22:30 GMT; Max-Age=15; Path=/ Access-Control-Allow-Methods: POST, OPTIONS Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type ]

Why shouldn't anonymous users be allowed to report reviews?

(In reply to Matt Basta [:basta] from comment #1) > Why shouldn't anonymous users be allowed to report reviews? I think anonymous users should be allowed. If this is just for parity with dev/prod, I'm inclined to say WONTFIX.

WONTFIX from me too. If it becomes an issue, this is as simple as setting `only-if-logged-in` on the link and turning on authentication for the API.

I asked us not to list the link since the submission is failing with a 401. Let's fix that issue then.

That's a separate issue. Is there a bug on file for it?