Security issue. Anonymous user can access the module/view that under admin interface

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Bill2011 Du

Wednesday 04 May 2011 8:13:50 am

I have a new module/view that should only be accessed by admin. I confirm i don't change anything in my siteaccess setting : RoleSettings.

A start, all things were perfect , but i found this module/view can be accessed by anonymous users after some time.

I checked my siteaccess setting files, the RoleSettings[] has been modified. The following PolicyOmitList[] data was added:

[RoleSettings]
PolicyOmitList[]=newmodule/list

I found the RoleSettings[] was rewrited when i did something in Setup/Ini-setting/site.ini from admin interface.

I don't want my private module or view be accessed by anonymous users, please help me!!

Please help to stop that my private module or view be rewirted into PolicyOmitList[].

Thank you!

Ivo Lukac

Wednesday 04 May 2011 9:10:48 am

For disable anonymous access just comment the line with hash and clear ini cache:

#PolicyOmitList[]=newmodule/list

But the main question is where did this line come from if you didn't write it. That is a mystery.

http://www.linkedin.com/in/ivolukac
http://www.netgen.hr/eng/blog
http://twitter.com/ilukac

Bill2011 Du

Friday 06 May 2011 1:13:45 am

Thanks, Ivo Lukac .

It was rewrited after i edited the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface.

Is it means all module or view will wirte into PolicyOmitList parameter when edit the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface?

Ivo Lukac

Friday 06 May 2011 1:19:29 am

"

Thanks, Ivo Lukac .

It was rewrited after i edited the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface.

Is it means all module or view will wirte into PolicyOmitList parameter when edit the PolicyOmitList parameter of Setup/Ini-setting/site.ini form admin interface?

"

Of course it does. It is the same thing. Admin interface is used to edit all ini files without the need to open files directly...

http://www.linkedin.com/in/ivolukac
http://www.netgen.hr/eng/blog
http://twitter.com/ilukac
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 18 2025 02:20:58
Script start
Timing: Jan 18 2025 02:20:58
Module start 'layout'
Timing: Jan 18 2025 02:20:58
Module start 'content'
Timing: Jan 18 2025 02:20:59
Module end 'content'
Timing: Jan 18 2025 02:20:59
Script end

Main resources:

Total runtime0.7233 sec
Peak memory usage4,096.0000 KB
Database Queries60

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0045 589.5234152.6875
Module start 'layout' 0.00450.0029 742.210939.5625
Module start 'content' 0.00730.7144 781.7734550.5469
Module end 'content' 0.72170.0015 1,332.320312.0625
Script end 0.7233  1,344.3828 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00310.4260160.0002
Check MTime0.00130.1742160.0001
Mysql Total
Database connection0.00050.069110.0005
Mysqli_queries0.673393.0898600.0112
Looping result0.00050.0737580.0000
Template Total0.695096.120.3475
Template load0.00200.276020.0010
Template processing0.693095.805020.3465
Template load and register function0.00010.018310.0001
states
state_id_array0.00060.083910.0006
state_identifier_array0.00160.218020.0008
Override
Cache load0.00170.2351280.0001
Sytem overhead
Fetch class attribute can translate value0.00060.078520.0003
Fetch class attribute name0.00090.129050.0002
XML
Image XML parsing0.00070.091020.0003
class_abstraction
Instantiating content class attribute0.00000.001560.0000
General
dbfile0.00080.1122170.0000
String conversion0.00000.001140.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
4content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
6content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
1content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
2content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
1content/datatype/view/ezxmltags/quote.tpldatatype/ezxmltext/quote.tplextension/ezwebin/design/ezwebin/override/templates/datatype/ezxmltext/quote.tplEdit templateOverride template
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 16
 Number of unique templates used: 7

Time used to render debug report: 0.0001 secs