Thanks, Gonzalo: I will add the 'exit()' function after the flash message, your thought is very good and welcome!
Thanks also, Andras: as a simple fix, I just erased the "delete" actions in all the controllers for all the database tables, and just left the "delete" action for the function admin_delete this is not pretty, but it seems to close the most obvious authentication problems... I think I have to read the API documentation for authentication over and over again... Are there any pointers to a end-to-end explanation for a simple+secure authentication? I gathered my knowledge from little bits and pieces here and there, and this is not enough it seems.. best regards, karl. On 26 Okt., 22:44, Andras Kende <and...@kende.com> wrote: > Your add action has auth but in your app_controller.php did you add > any auth for "delete" action too ? > > http://doidata.net/contributor_roles/delete- Invalid id for > ContributorRole : this is wide open... > > Andras > > On Oct 26, 2009, at 5:36 PM, audioworld wrote: > > > > > Hello Andreas, thanks for checking, > > > but as you can see from the app_controller above, I think I > > implemented the authentication properly. > > what you see at the link is just the "index" action, but when you > > klick on an "add" action: > >http://doidata.net/contributor_roles/add > > > there is the correct error message: > > "your are not allowed to acces this page" > > > so it is still unclear to me how the delete action can be used without > > authentication... > > > On 26 Okt., 22:27, Andras Kende <and...@kende.com> wrote: > >> Hello, > > >> Your site is not password protected so google robot just crawling > >> through the delete links.. > > >>http://doidata.net/contributor_roles/ > > >> Andras > > >> On Oct 26, 2009, at 4:36 PM, audioworld wrote: > > >>> I have a basic database management online athttp://doidata.net > >>> The access to the admin section is secured with a simple > >>> authentication which is hardcoded in the file /config/core.php > >>> In theory, when someone without the admin cookie set, access to the > >>> routes > >>> ../resource/delete/ID > >>> should be blocked. However, when I try this URL in the browser, it > >>> really works WITHOUT atuhentication, and the database entry is > >>> deleted!!! This was demonstrated last night by Google Bot which > >>> seems > >>> to try our every possible route, and deleted most of my entries.. > > >>> here are some lines from the APACHE acces log: > >>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET / > >>> contributor_roles/ > >>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > >>> 2.1; +http://www.google.com/bot.html)" > >>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET / > >>> contributor_roles/ > >>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > >>> 2.1; +http://www.google.com/bot.html)" > > >>> I am very thankful for any help to lock up my database edit/delete > >>> access, > >>> thanks, karl. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---