> > I'd suggest you disallow ANY access to admin screens without > > authorization. i can still browse around and see what admin pages exist, > > even if i can't access the contents. maybe put the admin access check > > into admin.php itself. > > Ah yes thanks, I had kept a login screen in the administration module screen > directory pondering whether to use it or not. You've just highlighted where > it's needed...i.e. if someone tries to access admin.php directly they should > be sent to a plain login screen.
Every admin screen should have a line that checks for admin privileges and returns if they aren't present. I'm convinced this is enough protection. However, since you've separated admin screens through another script, you can skip the chance of leaving the check out of any particular screen by putting it in the admin.php script. Leon _______________________________________________ FreeTrade-dev mailing list [EMAIL PROTECTED] http://share.whichever.com/mailman/listinfo/freetrade-dev
