admin subsite allows regular users to view!?

hobo_hippy

unread,

Dec 4, 2011, 7:39:30 PM12/4/11

to Hobo Users

I'm testing my site for security holes. I've noticed if a regular user
tries to access and admin subsite page directly by typing in the url
such as www.baseurl/admin/whateverModel they can access the page! I
thought this was avoided in the admin site controller with the
before_filter... what's going on here?

Sure the pertinent information I don't want shared is protected by the
model permissions, but regular users shouldn't be able to view these
pages!!

So what's wrong here? How do i fix?

hobo_hippy

unread,

Dec 4, 2011, 7:49:44 PM12/4/11

to Hobo Users

Ok, correction. They can't visit just any page on the admin subsite,
just the first page that was made, the Users page. While they can't
view any other users thanks to permissions being set correctly, I
don't want them to be able to access that page. I could toss a
redirect in the controller, but is there a cleaner solution?

On Dec 4, 7:39 pm, hobo_hippy <87bee...@gmail.com> wrote:
> I'm testing my site for security holes. I've noticed if a regular user
> tries to access and admin subsite page directly by typing in the url

> such aswww.baseurl/admin/whateverModelthey can access the page! I

Ronny Hanssen

unread,

Dec 5, 2011, 2:21:33 AM12/5/11

to hobo...@googlegroups.com

A redirect in the admin-controller for non-admins sounds good to me. Either redirect back to previous page, respond with "permission denied" or even just a 404.

Regards,
Ronny

Reply all

Reply to author

Forward