I partially agree. Problem is you signed out of google but you did not sign out of admin. appadmin authorizes you if you are logged into admin. The fact you logout from google does not automatically sign you out from admin.
Can you reproduce the problem if you sign our from admin? On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote: > > Hi > > I have deployed my aplication in GAE and /appadmin/manage/auth works > fine, asking a login to access. > > But, if I try to go to: https://myapp.appspot.com/appadmin > > Then the browser asks me: Sign in with your google account > <https://www.google.com/accounts/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://clubatletismosada.appspot.com/appadmin<mpl=gm&shdf=Ch8LEgZhaG5hbWUaE0NsdWIgQXRsZXRpc21vIFNhZGEMEgJhaCIU4rpxyPjOtFDC1cxqbSHxn4qazIsoATIUrdvnPgTHKBlIIF_ylVxiINsy4sI> > . > > Ok, I sing wiht my google account (the owner of the application) and I can > access to the whole database appadmin without loggin in as 'administrator' > like in /appadmin/manage/auth > > So If the browser keeps the session anyone can access to my app database > from this browser. I have to remove the cookie of the session. > > I think it is a lack of security. > > So I would like to limit the access to https://myapp.appspot.com/appadmin > in the same way that /appadmin/manage/auth > > Thanks > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
