Forums / Developer / Security issue. Anonymous user can access the module/view that under admin interface
Bill2011 Du
Wednesday 04 May 2011 8:13:50 am
I have a new module/view that should only be accessed by admin. I confirm i don't change anything in my siteaccess setting : RoleSettings.
A start, all things were perfect , but i found this module/view can be accessed by anonymous users after some time.
I checked my siteaccess setting files, the RoleSettings[] has been modified. The following PolicyOmitList[] data was added:
[RoleSettings] PolicyOmitList[]=newmodule/list
I found the RoleSettings[] was rewrited when i did something in Setup/Ini-setting/site.ini from admin interface.
I don't want my private module or view be accessed by anonymous users, please help me!!
Please help to stop that my private module or view be rewirted into PolicyOmitList[].
Thank you!
Ivo Lukac
Wednesday 04 May 2011 9:10:48 am
For disable anonymous access just comment the line with hash and clear ini cache:
#PolicyOmitList[]=newmodule/list
But the main question is where did this line come from if you didn't write it. That is a mystery.
http://www.linkedin.com/in/ivolukac http://www.netgen.hr/eng/blog http://twitter.com/ilukac
Friday 06 May 2011 1:13:45 am
Thanks, Ivo Lukac .
It was rewrited after i edited the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface.
Is it means all module or view will wirte into PolicyOmitList parameter when edit the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface?
Friday 06 May 2011 1:19:29 am
Of course it does. It is the same thing. Admin interface is used to edit all ini files without the need to open files directly...