class AppController extends Controller {
var $components = array('Session');
var $helpers=array('MyPaginate','Text');
var $allowedActions=array
('index','view','doi_codes','display','owner','search');
function beforeFilter(){
#log in the admin
if(isset($this->data['admin']['credentials']))
if($this->data['admin']['credentials']==Configure::read
('Admin.Username')
&& $this->data['admin']['pw']==Configure::read('Admin.Password'))
$this->Session->write('admin',1);
else
$this->Session->write('admin',0);
#or log him out!
if(isset($this->data['admin']['logout']) && $this->data['admin']
['logout']){
$this->Session->write('admin',0);
$this->redirect(array
('controller'=>'pages','action'=>'index','admin'=>false));
}
if(!$this->Session->read('admin'))
if(!in_array($this->action,$this->allowedActions)){
$this->flash('You are not allowed to access this page','/');
//$this->redirect(array
('controller'=>'pages','action'=>'display'));
}
if($this->action=='admin_view')
$this->setAction('view',$this->params['pass']);
elseif($this->action=='admin_doi_codes')
$this->setAction('doi_codes',$this->params['pass']);
}
thanks for the reply,
karl.
On 26 Okt., 21:49, Miles J <mileswjohn...@gmail.com> wrote:
> Are you applying the authorize login settings within the beforeFilter
> ()?
>
> On Oct 26, 1:36 pm, audioworld <audiowo...@gmail.com> wrote:
>
> > I have a basic database management online athttp://doidata.net
> > The access to the admin section is secured with a simple
> > authentication which is hardcoded in the file /config/core.php
> > In theory, when someone without the admin cookie set, access to the
> > routes
> > ../resource/delete/ID
> > should be blocked. However, when I try this URL in the browser, it
> > really works WITHOUT atuhentication, and the database entry is
> > deleted!!! This was demonstrated last night by Google Bot which seems
> > to try our every possible route, and deleted most of my entries..
>
> > here are some lines from the APACHE acces log:
> > 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
> > delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
> > 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
> > delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
>
> > I am very thankful for any help to lock up my database edit/delete
> > access,
> > thanks, karl.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment