Auth not redirecting for scaffold admin pages
Hi, I have a major security problem with CakePHP. For some reason the Auth component is not redirecting the browser to the login page for admin pages when the page is rendered with scaffolding. Other admin pages for controller actions are being redirected. I am using CakePHP version 1.2.1.8004. All my controllers allow access to admin routed pages, but I never called Auth-allow(..) for those admin actions. Other custom admin actions such as admin_myaction() are redirected to the login page. Please help... I don't know where to look to fix this. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth not redirecting for scaffold admin pages
function startup($controller) { $isErrorOrTests = ( strtolower($controller-name) == 'cakeerror' || (strtolower($controller-name) == 'tests' Configure::read() 0) || !in_array($controller-params['action'], $controller-methods) ); if ($isErrorOrTests) { return true; } What the hell??? This is from the Auth component. It skips auth startup if the action is not a method in the controller. Appears this is fixed in the latest version. On Aug 20, 9:48 am, Mathew nfoscar...@yahoo.com wrote: Hi, I have a major security problem with CakePHP. For some reason the Auth component is not redirecting the browser to the login page for admin pages when the page is rendered with scaffolding. Other admin pages for controller actions are being redirected. I am using CakePHP version 1.2.1.8004. All my controllers allow access to admin routed pages, but I never called Auth-allow(..) for those admin actions. Other custom admin actions such as admin_myaction() are redirected to the login page. Please help... I don't know where to look to fix this. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth not redirecting for scaffold admin pages
If you were to search these google groups prior to posting, you *probably* would have found the answer. Scaffolding is typically a means for quick non-production deployment so that there is something to show your boss/stakeholders with regard to skeleton-level interaction and navigation. Once a more production level feature is used (such as Auth), scaffolding is no longer supported. Many of the Cake devs have reported on this, and have iterated many times over that scaffolds were never meant to be used in production where security is a concern. If it truly has been fixed in the latest version, someone decided to be nice; however, there still may be other issues with it that aren't noticed upon first glance. I would strongly suggest creating a simple baked controller and related views for that model to err on the side of caution. On Aug 20, 10:05 am, Mathew nfoscar...@yahoo.com wrote: function startup($controller) { $isErrorOrTests = ( strtolower($controller-name) == 'cakeerror' || (strtolower($controller-name) == 'tests' Configure::read() 0) || !in_array($controller-params['action'], $controller-methods) ); if ($isErrorOrTests) { return true; } What the hell??? This is from the Auth component. It skips auth startup if the action is not a method in the controller. Appears this is fixed in the latest version. On Aug 20, 9:48 am, Mathew nfoscar...@yahoo.com wrote: Hi, I have a major security problem with CakePHP. For some reason the Auth component is not redirecting the browser to the login page for admin pages when the page is rendered with scaffolding. Other admin pages for controller actions are being redirected. I am using CakePHP version 1.2.1.8004. All my controllers allow access to admin routed pages, but I never called Auth-allow(..) for those admin actions. Other custom admin actions such as admin_myaction() are redirected to the login page. Please help... I don't know where to look to fix this.- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---