I understand a user can not directly access mysite.com/users/admin_index
-- Instead they go to mysite.com/admin/users/index
But, is there any automatic security checking? Because anyone can type in mysite.com/admin/users/index
Is it still up to the UsersController to filter out unauthorized users? such as have an IsAuthorized setting, or the function admin_index still needs to check the user's privileges and reject the request if the user doesn't have admin privs?
In which case I don't see the advantage of using the admin_ prefix. Seems like a big security problem if every controller function needs to check the user's privileges. Is there a better way I'm missing?
Can IsAuthorized somehow say only admin users are allowed to run admin functions?
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment