Ok, correction. They can't visit just any page on the admin subsite, just the first page that was made, the Users page. While they can't view any other users thanks to permissions being set correctly, I don't want them to be able to access that page. I could toss a redirect in the controller, but is there a cleaner solution?
On Dec 4, 7:39 pm, hobo_hippy <[email protected]> wrote: > I'm testing my site for security holes. I've noticed if a regular user > tries to access and admin subsite page directly by typing in the url > such aswww.baseurl/admin/whateverModelthey can access the page! I > thought this was avoided in the admin site controller with the > before_filter... what's going on here? > > Sure the pertinent information I don't want shared is protected by the > model permissions, but regular users shouldn't be able to view these > pages!! > > So what's wrong here? How do i fix? -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
