How is that a fundamental problem? It takes two lines of code to fix.
This is an alpha release. People shouldn't be using it, that's all. They should've put in an artificial limitation like max. 2 users with max. 2 pics each per server to avoid people using it.
The whole thing being in Rails is much more of a turn-off for me.
If I saw "# FIXME: check perms" in that code I'd have said, sure, it's alpha, no biggie. But without any acknowledgement of what should be a totally obvious security hole, it makes one question what other holes there might be, and maybe they can all be reviewed away... but it can also lead to a lot of pain for a long time. But maybe the visibility of the project will help get that review done.
Realistically, though, so long as they don't get clever it might be fine. If they do clever things then review becomes very hard.
It's not so much that it's hard to fix, it just demonstrates that they're either incompetent or not taking things seriously. It doesn't exactly inspire confidence for the future of the project.
This is an alpha release. People shouldn't be using it, that's all. They should've put in an artificial limitation like max. 2 users with max. 2 pics each per server to avoid people using it.
The whole thing being in Rails is much more of a turn-off for me.