Andreas Schwarz wrote: > Just a guess: Admin::UserController#preferences. > >> only_allow_access_to :index, :new, :edit, :remove, :when => :admin, > > "preferences" is not in that list. > >> @user = User.find(session['user'].id) > > Unless whiny_nils is enabled (which I strongly recommend), anyone can > pretend to be user #4, because nil.id = 4.
How would they do that? Hitting the admin/preferences URL when you are not logged in will redirect you to the login page. -- John Long http://wiseheartdesign.com _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
