On Sunday, February 27, 2011 9:40:03 PM UTC-5, mart wrote:
>
> well, I have to check... Naturally (and there is always a chance - I'm
> actually left feeling surprised when I am not wrong), I could be
> completely missing the mark here. I do know, that a copy (with a new
> name) of appadmin is quite open to all users (because I did that
> once), but just thought i'd mention...
Hmm, I can't reproduce this simply by renaming appadmin.py and appadmin.html
to something else -- I still have to be logged in to admin to access (the
renamed) appadmin. It looks like the following code in appadmin.py (which
does not appear to depend on the name being 'appadmin') prevents
unauthorized access:
if (request.application=='admin' and not session.authorized) or \
(request.application!='admin' and not
gluon.fileutils.check_credentials(request)):
redirect(URL('admin', 'default', 'index'))
Anyway, I'm not recommending changing the name of appadmin -- don't see a
good reason to.
>
> As for the appadmin not being an app... alright, sure. But, I can log
> onto a web2py server (without logging into any application) and
> view,update,delete data from any apps DB. Because I can do that, I
> tend to want to see it as feature of having admin privileges... admin
> vs appadmin or app vs .py file with a view. I still see them belonging
> together (even if I am wrong about it).
Yes, that makes sense.
Best,
Anthony
