No biggie to fix though -----Original Message----- From: Aidan Whitehall [mailto:[EMAIL PROTECTED] Sent: 10 July 2003 09:53 To: FarCry Developers Subject: [farcry-dev] Re: Security
> From memory I believe it is any user in a group with the "admin" > permission. But different groups will see different tabs et cdepending > on their defined role. Just because a user doesn't have the privilege to display the Admin tab, they are free to type urls directly into the Address Bar (I've heard it referred to as "url surfing"). If there is no check performed on the template that displays an Admin page or any of the "action" pages that deal with Administrative functionality, application security is not being enforced. I logged in as an Administrator, right-clicked the Admin tab, selected Copy Shortcut, logged out, logged in as a user with minimal permissions and pasted the copied url into the Address Bar and hit enter. I was surprised when I was able to view the Admin page, albeit with a restricted set of links in the menu on the left hand side of the page -- I'd expected it to log me out with a message saying "Tut tut, naughty user", but it didn't. Additionally, I was able to click on one of the links and view one of the Administration pages. I had wanted someone else to validate whether or not what I'd seen was expected behaviour. If it is, I'd be worried. -- Aidan Whitehall <mailto:[EMAIL PROTECTED]> Macromedia ColdFusion Developer Fairbanks Environmental Ltd +44 (0)1695 51775 Queen's Awards Winner 2003 <http://www.fairbanks.co.uk/go/awards> ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ --- You are currently subscribed to farcry-dev as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] --- You are currently subscribed to farcry-dev as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
