Thanks, Miles: At the moment it is not completely clear to me how this is different from my way of authentication, but I will read an learn..
On 26 Okt., 22:50, Miles J <mileswjohn...@gmail.com> wrote: > You should use HTTP authentication. > > http://book.cakephp.org/view/473/Basic-HTTP-Authentication > > On Oct 26, 2:44 pm, Andras Kende <and...@kende.com> wrote: > > > Your add action has auth but in your app_controller.php did you add > > any auth for "delete" action too ? > > >http://doidata.net/contributor_roles/delete-Invalid id for > > ContributorRole : this is wide open... > > > Andras > > > On Oct 26, 2009, at 5:36 PM, audioworld wrote: > > > > Hello Andreas, thanks for checking, > > > > but as you can see from the app_controller above, I think I > > > implemented the authentication properly. > > > what you see at the link is just the "index" action, but when you > > > klick on an "add" action: > > >http://doidata.net/contributor_roles/add > > > > there is the correct error message: > > > "your are not allowed to acces this page" > > > > so it is still unclear to me how the delete action can be used without > > > authentication... > > > > On 26 Okt., 22:27, Andras Kende <and...@kende.com> wrote: > > >> Hello, > > > >> Your site is not password protected so google robot just crawling > > >> through the delete links.. > > > >>http://doidata.net/contributor_roles/ > > > >> Andras > > > >> On Oct 26, 2009, at 4:36 PM, audioworld wrote: > > > >>> I have a basic database management online athttp://doidata.net > > >>> The access to the admin section is secured with a simple > > >>> authentication which is hardcoded in the file /config/core.php > > >>> In theory, when someone without the admin cookie set, access to the > > >>> routes > > >>> ../resource/delete/ID > > >>> should be blocked. However, when I try this URL in the browser, it > > >>> really works WITHOUT atuhentication, and the database entry is > > >>> deleted!!! This was demonstrated last night by Google Bot which > > >>> seems > > >>> to try our every possible route, and deleted most of my entries.. > > > >>> here are some lines from the APACHE acces log: > > >>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET / > > >>> contributor_roles/ > > >>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > > >>> 2.1; +http://www.google.com/bot.html)" > > >>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET / > > >>> contributor_roles/ > > >>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/ > > >>> 2.1; +http://www.google.com/bot.html)" > > > >>> I am very thankful for any help to lock up my database edit/delete > > >>> access, > > >>> thanks, karl. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---