I checked my application, and I found the origin + fix. In the file routes.php: Router::connect('/pages/*', array('controller' => 'pages', 'action' => 'display')); Router::connect('/sections/', array('controller' => 'sections', 'action' => 'index', 'prefix' => Configure::read('Routing.admin')));
My old file was without the 'prefix' key. That fixed the problem. Any ideas why? On Nov 30, 12:59 pm, AD7six <[EMAIL PROTECTED]> wrote: > On Nov 30, 11:46 am, phpjoy <[EMAIL PROTECTED]> wrote: > > > > > I'm experiencing a VERY weird auth problem, which is a very big > > security risk for my application. > > > When I try to access a page in the admin section directly, I'm being > > redirected to the login page. > > When I try to do the same via an XHR call, the page is loaded! > > > Example: > > When I try to access the URLhttp://localhost/admin/sections/edit/1294 > > I get redirected tohttp://localhost/admin/login > > > When the program accesses the same URL, it loads the page. > > Any ideas why it happens? > > > Here's my auth setup: > > function auth() { > > $this->controller->Auth->userScope = array( > > 'AdminUser.active' => > > '1' ); > > $this->controller->Auth->userModel = 'AdminUser'; > > $this->controller->Auth->loginAction='/' > > .Configure::read('Routing.admin') .'/login/'; > > > $this->controller->Auth->loginRedirect='/' > > .Configure::read('Routing.admin') .'/'; > > > $this->controller->Auth->authorize = false; > > $this->controller->Auth->sessionKey = 'AdminUser'; > > } > > > Here are the headers, checked by FireBug: > > > Response Headers > > ============== > > Date Fri, 30 Nov 2007 10:30:54 GMT > > Server Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e > > mod_autoindex_color PHP/5.2.3 > > X-Powered-By PHP/5.2.3 > > P3P CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" > > Pragma no-cache > > Cache-Control no-store, no-cache, max-age=0, must-revalidate > > Content-Length 719 > > Keep-Alive timeout=5, max=97 > > Connection Keep-Alive > > Content-Type text/html > > > Request Headers > > ============= > > Host localhost > > User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: > > 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10 > > Accept text/xml,application/xml,application/xhtml+xml,text/ > > html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > > Accept-Language en-us,en;q=0.7,he;q=0.3 > > Accept-Encoding gzip,deflate > > Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Keep-Alive 300 > > Connection keep-alive > > X-Requested-With XMLHttpRequest > > Refererhttp://localhost/admin/ > > Cookie ProgramName=77254f4fb7cf56b71b266668f6708f9a > > Pragma no-cache > > Cache-Control no-cache > > > If I request it through an HTTP data proxy, it doesn't load. Here are > > the headers: > > Response Headers > > ============== > > Date Fri, 30 Nov 2007 10:43:57 GMT > > Server Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e > > mod_autoindex_color PHP/5.2.3 > > X-Powered-By PHP/5.2.3 > > P3P CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" > > Pragma no-cache > > Cache-Control no-store, no-cache, max-age=0, must-revalidate > > Location http://localhost/admin/login/ > > Content-Length 0 > > Keep-Alive timeout=5, max=95 > > Connection Keep-Alive > > Content-Type text/html > > > Request Headers > > ============ > > Host localhost > > User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: > > 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10 > > Accept */* > > Accept-Language en-us,en;q=0.7,he;q=0.3 > > Accept-Encoding gzip,deflate > > Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Keep-Alive 300 > > Connection keep-alive > > Refererhttp://localhost/admin/ > > Cookie ProgramName=bc904aec5ff06a2d12bb6f334fde97ab > > > How can I make Auth check XHR calls? > > I doubt the Auth component cares how it receives a call, it's probably > an app specific problem (if not provide a sample application which > demonstrates the problem). Try having a look and investigatively debug > the auth class, or stick some calls to $this-log($aVar); in your code > to see if it´s bypassing the Auth class, or calling it and succeeding > etc. > > hth, > > AD --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---