Auth not redirecting for scaffold admin pages
Hi, I have a major security problem with CakePHP. For some reason the Auth component is not redirecting the browser to the login page for admin pages when the page is rendered with scaffolding. Other admin pages for controller actions are being redirected. I am using CakePHP version 1.2.1.8004. All my controllers allow access to admin routed pages, but I never called Auth-allow(..) for those admin actions. Other custom admin actions such as admin_myaction() are redirected to the login page. Please help... I don't know where to look to fix this. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Auth not redirecting for scaffold admin pages
function startup($controller) {
$isErrorOrTests = (
strtolower($controller-name) == 'cakeerror' ||
(strtolower($controller-name) == 'tests'
Configure::read() 0)
||
!in_array($controller-params['action'],
$controller-methods)
);
if ($isErrorOrTests) {
return true;
}
What the hell???
This is from the Auth component. It skips auth startup if the action
is not a method in the controller.
Appears this is fixed in the latest version.
On Aug 20, 9:48 am, Mathew nfoscar...@yahoo.com wrote:
Hi,
I have a major security problem with CakePHP. For some reason the Auth
component is not redirecting the browser to the login page for admin
pages when the page is rendered with scaffolding. Other admin pages
for controller actions are being redirected.
I am using CakePHP version 1.2.1.8004.
All my controllers allow access to admin routed pages, but I never
called Auth-allow(..) for those admin actions. Other custom admin
actions such as admin_myaction() are redirected to the login page.
Please help... I don't know where to look to fix this.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Auth not redirecting for scaffold admin pages
If you were to search these google groups prior to posting, you
*probably* would have found the answer. Scaffolding is typically a
means for quick non-production deployment so that there is something
to show your boss/stakeholders with regard to skeleton-level
interaction and navigation. Once a more production level feature is
used (such as Auth), scaffolding is no longer supported. Many of the
Cake devs have reported on this, and have iterated many times over
that scaffolds were never meant to be used in production where
security is a concern. If it truly has been fixed in the latest
version, someone decided to be nice; however, there still may be other
issues with it that aren't noticed upon first glance. I would
strongly suggest creating a simple baked controller and related views
for that model to err on the side of caution.
On Aug 20, 10:05 am, Mathew nfoscar...@yahoo.com wrote:
function startup($controller) {
$isErrorOrTests = (
strtolower($controller-name) == 'cakeerror' ||
(strtolower($controller-name) == 'tests'
Configure::read() 0)
||
!in_array($controller-params['action'],
$controller-methods)
);
if ($isErrorOrTests) {
return true;
}
What the hell???
This is from the Auth component. It skips auth startup if the action
is not a method in the controller.
Appears this is fixed in the latest version.
On Aug 20, 9:48 am, Mathew nfoscar...@yahoo.com wrote:
Hi,
I have a major security problem with CakePHP. For some reason the Auth
component is not redirecting the browser to the login page for admin
pages when the page is rendered with scaffolding. Other admin pages
for controller actions are being redirected.
I am using CakePHP version 1.2.1.8004.
All my controllers allow access to admin routed pages, but I never
called Auth-allow(..) for those admin actions. Other custom admin
actions such as admin_myaction() are redirected to the login page.
Please help... I don't know where to look to fix this.- Hide quoted text -
- Show quoted text -
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
