all the "protection" logic is in the first 70 lines of the appadmin controller.
On Tuesday, July 1, 2014 8:43:56 AM UTC+2, Detlev Bielz wrote: > > Hello, > > we, a small company, are using web2py for some web services with a couple > of different apps we developed ourselves. > Recently, a collegue of mine pointed me to the fact, that he was able to > access *https://ourdomain/our_app/appadmin/index > <https://ourdomain/our_app/appadmin/index>* whithout having to > authenticate in any way. Since these services are my concern, I checked > instantly, but with three different browsers (firefox, chrome, IE) and > different user profiles for firefox and chrome I was not able to reproduce > this. > > Now, my collegue observed this phenomenon again, and a third collegue and > my own browsers could reproduce this issue. But not only ' > *our_app/appadmin*' is accessible; appadmin of ALL other apps as well: > > - *https://ourdomain/our_other_app/appadmin/index > <https://ourdomain/our_other_app/appadmin/index>* > - *https://ourdomain/our_third_app/appadmin/index > <https://ourdomain/our_third_app/appadmin/index>*, even > - *https://ourdomain/welcome/appadmin/index > <https://ourdomain/welcome/appadmin/index>* > > is accessible without having to login! The only exception is > /admin/appadmin, here we have to login. > > We all cleared caches etc. from our browsers or used browsers and browser > profiles we never accessed this web2py instance before. > > I know, Massimo recommends to not expose admin and appadmin on production > instances, but this is not a public server (only known to a small circle of > customers), and we value the benefit of direct access to appadmin higher > than the risk. As long as appadmin is protected, that is. So we would like > to keep this option. > > Where can we check why appadmin is not protected any more? > > Thanks for your attention, > > Detlev > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
