yes I do, this is the code from app_controller.php: class AppController extends Controller { var $components = array('Session'); var $helpers=array('MyPaginate','Text'); var $allowedActions=array ('index','view','doi_codes','display','owner','search'); function beforeFilter(){ #log in the admin if(isset($this->data['admin']['credentials'])) if($this->data['admin']['credentials']==Configure::read ('Admin.Username') && $this->data['admin']['pw']==Configure::read('Admin.Password')) $this->Session->write('admin',1); else $this->Session->write('admin',0); #or log him out! if(isset($this->data['admin']['logout']) && $this->data['admin'] ['logout']){ $this->Session->write('admin',0); $this->redirect(array ('controller'=>'pages','action'=>'index','admin'=>false)); } if(!$this->Session->read('admin')) if(!in_array($this->action,$this->allowedActions)){ $this->flash('You are not allowed to access this page','/'); //$this->redirect(array ('controller'=>'pages','action'=>'display')); } if($this->action=='admin_view') $this->setAction('view',$this->params['pass']); elseif($this->action=='admin_doi_codes') $this->setAction('doi_codes',$this->params['pass']);
} thanks for the reply, karl. On 26 Okt., 21:49, Miles J <mileswjohn...@gmail.com> wrote: > Are you applying the authorize login settings within the beforeFilter > ()? > > On Oct 26, 1:36 pm, audioworld <audiowo...@gmail.com> wrote: > > > I have a basic database management online athttp://doidata.net > > The access to the admin section is secured with a simple > > authentication which is hardcoded in the file /config/core.php > > In theory, when someone without the admin cookie set, access to the > > routes > > ../resource/delete/ID > > should be blocked. However, when I try this URL in the browser, it > > really works WITHOUT atuhentication, and the database entry is > > deleted!!! This was demonstrated last night by Google Bot which seems > > to try our every possible route, and deleted most of my entries.. > > > here are some lines from the APACHE acces log: > > 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/ > > delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > > 2.1; +http://www.google.com/bot.html)" > > 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/ > > delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > > 2.1; +http://www.google.com/bot.html)" > > > I am very thankful for any help to lock up my database edit/delete > > access, > > thanks, karl. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---