With ci-game version 1.4, I am able to view the link to reset scores on the
leader board even if I am logged in anonymously. I do have security enabled in
matrix mode.

If I bound the <l:task /> link for the "confirmResetScores" (in sidepanel.jelly)
with the following check, the link appears only when desired (i.e., when an
admin is logged in):

<j:if test="${h.hasPermission(app.ADMINISTER)}">
<l:task ... href="confirmResetScores" ... permission="${it.CONFIGURE}" />
</j:if>

Not sure if the ${it.CONFIGURE} attribute value is not being picked up, or if I
have a misconfiguration on my server somewhere.