Hello, we, a small company, are using web2py for some web services with a couple of different apps we developed ourselves. Recently, a collegue of mine pointed me to the fact, that he was able to access *https://ourdomain/our_app/appadmin/index* whithout having to authenticate in any way. Since these services are my concern, I checked instantly, but with three different browsers (firefox, chrome, IE) and different user profiles for firefox and chrome I was not able to reproduce this.
Now, my collegue observed this phenomenon again, and a third collegue and my own browsers could reproduce this issue. But not only '*our_app/appadmin*' is accessible; appadmin of ALL other apps as well: - *https://ourdomain/our_other_app/appadmin/index* - *https://ourdomain/our_third_app/appadmin/index*, even - *https://ourdomain/welcome/appadmin/index* is accessible without having to login! The only exception is /admin/appadmin, here we have to login. We all cleared caches etc. from our browsers or used browsers and browser profiles we never accessed this web2py instance before. I know, Massimo recommends to not expose admin and appadmin on production instances, but this is not a public server (only known to a small circle of customers), and we value the benefit of direct access to appadmin higher than the risk. As long as appadmin is protected, that is. So we would like to keep this option. Where can we check why appadmin is not protected any more? Thanks for your attention, Detlev -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
