-
straatvaart
-
 Topic Author
-
Offline
-
Fresh Boarder
-
-
Posts: 1
-
Thank you received: 0
-
-
|
Dear all,
I am using DTregister on a J 2.5.14 installation and verified the following:
An unauthenticated user is able to access the usemanage controller from the front end of the component.
For example
yoursite.com/index.php/component/dtregister/?task=edit&controller=usermanage
yoursite.com/index.php/component/dtregister/?task=edit&controller=usermanage&cid%5b0%5d=1
by entering the cid=X number I can easily navigate through all registers even if unauthenticated.
Is this a security bug or am I doing something wrong in the access settings?
Is there a way to avoid this? I dont want unauthenticated users to look through my records by "guessing" usermanage numbers.
Many thanks
|
|
Please Log in or Create an account to join the conversation.
|
-
nathan.dth
-
-
Offline
-
Administrator
-
-
Posts: 1857
-
Karma: 19
-
Thank you received: 218
-
-
|
Hello! You should be able to handle this with access settings. Set your Control Panel menu item to an appropriate access level. Then make sure all links to this in your site are going through that full link including the ItemId. You could go an additional step of setting up some URL redirects so if someone tries to access that location without the ItemID (bypassing the menu access control), it will redirect them automatically to the full URL. I'd recommend using sh404SEF as you could make custom URLs and easily setup "alias" URLs to pull in the other variations into the one you are controlling.
Of course in DT Register permissions, you can control which users have access to manage records and such... and if they can only manage records for events they own, etc.
|
|
Please Log in or Create an account to join the conversation.
Nathan is no longer affiliated with DTH since the recent acquisition. You can connect with him and get any type of Joomla website help at
www.JoomlaEmployee.com
.
|
Time to create page: 0.279 seconds
