I think the matter you raise is a valid one. Given the amount of new functionality added in recent times it may well be that some exceptions to security checks have slipped through the cracks. We have slated a review of internal "core" permissions (ie. those that install by default) but any vulnerabilities you can point out are very important.
If I could impose upon you to send an email to [EMAIL PROTECTED] each time you find an error of this nature. That will drop straight into our bug tracker and be dealt with in a timely fashion.
-- geoff http://www.daemon.com.au/
Aidan Whitehall wrote:
From memory I believe it is any user in a group with the "admin" permission. But different groups will see different tabs et
cdepending
on their defined role.
Just because a user doesn't have the privilege to display the Admin tab, they are free to type urls directly into the Address Bar (I've heard it referred to as "url surfing"). If there is no check performed on the template that displays an Admin page or any of the "action" pages that deal with Administrative functionality, application security is not being enforced.
I logged in as an Administrator, right-clicked the Admin tab, selected Copy Shortcut, logged out, logged in as a user with minimal permissions and pasted the copied url into the Address Bar and hit enter. I was surprised when I was able to view the Admin page, albeit with a restricted set of links in the menu on the left hand side of the page -- I'd expected it to log me out with a message saying "Tut tut, naughty user", but it didn't. Additionally, I was able to click on one of the links and view one of the Administration pages.
I had wanted someone else to validate whether or not what I'd seen was expected behaviour. If it is, I'd be worried.
--- You are currently subscribed to farcry-dev as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
