I think this was our concern with this approach that was used. We want to have finer-grained control but whatever we do we want it to be secure and not just security through obscurity.
Thanks for your efforts around this! Mike On Thu, Dec 8, 2011 at 3:51 PM, <[email protected]> wrote: > Mike, > > Good catch. I thought I had nailed all these down, but this version does > look like if you are authenticated and know the URL, it would let you go > places you shouldn't be allowed. Let me go back through my latest > customized version and compare. There should be checks that will boot you > back to the home page (or was it the login page?) if you try to view a page > you're not supposed to be allowed to access. > > I'll generate a new (generic) diff based off the latest 4.4 and re-post. > > Thanks, > > Andy > > ------------------------------ > *From: *"Michael Picher" <[email protected]> > *To: *"Discussion list for users of sipXecs software" < > [email protected]> > *Sent: *Thursday, December 8, 2011 2:38:19 PM > > *Subject: *Re: [sipx-users] Web portal access restricted to CDR report > only > > Andrew, does this just use flags in the GUI for menus? How secure is > this? If somebody still knows a URI can they get to it? > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square**** Suite 201**** Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher <http://twitter.com/mpicher> www.ezuce.com
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
