This should not be possible but of course it deserves investigation. What web server do you use? Are you behind any kind of proxy or load balancer? Those friends who were able to access it, did they ever login into admin? Can you diff your appadmin.py vs the latest welcome/controllers/appadmin? When your friends were able to access it, did you see it? What did the page show? Do you have a screenshot?
Massimo On Tuesday, 1 July 2014 01:43:56 UTC-5, Detlev Bielz wrote: > > Hello, > > we, a small company, are using web2py for some web services with a couple > of different apps we developed ourselves. > Recently, a collegue of mine pointed me to the fact, that he was able to > access *https://ourdomain/our_app/appadmin/index > <https://ourdomain/our_app/appadmin/index>* whithout having to > authenticate in any way. Since these services are my concern, I checked > instantly, but with three different browsers (firefox, chrome, IE) and > different user profiles for firefox and chrome I was not able to reproduce > this. > > Now, my collegue observed this phenomenon again, and a third collegue and > my own browsers could reproduce this issue. But not only ' > *our_app/appadmin*' is accessible; appadmin of ALL other apps as well: > > - *https://ourdomain/our_other_app/appadmin/index > <https://ourdomain/our_other_app/appadmin/index>* > - *https://ourdomain/our_third_app/appadmin/index > <https://ourdomain/our_third_app/appadmin/index>*, even > - *https://ourdomain/welcome/appadmin/index > <https://ourdomain/welcome/appadmin/index>* > > is accessible without having to login! The only exception is > /admin/appadmin, here we have to login. > > We all cleared caches etc. from our browsers or used browsers and browser > profiles we never accessed this web2py instance before. > > I know, Massimo recommends to not expose admin and appadmin on production > instances, but this is not a public server (only known to a small circle of > customers), and we value the benefit of direct access to appadmin higher > than the risk. As long as appadmin is protected, that is. So we would like > to keep this option. > > Where can we check why appadmin is not protected any more? > > Thanks for your attention, > > Detlev > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
