We should not emit metrics that are globally readable.
Most critical metrics to protect are oauth related.
Goal will be to either protect those metrics or disable them.
My PR correctly fixes the lack of auth on metrics and all other OAuth server endpoints that need it. It does not disable metrics.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.