Admin Security

[batmike]

I noticed that any admin user can access any admin page is they type in the full URL of whatever page they're trying to access. This doesn't seem to work for all pages (the users page kicked back to the login page) but it does work for the store settings page and the password policy page (the only one's I checked). Is there any way to make sure all pages are secure from direct access even by other admins who don't need to be changing the store settings and things like that.

Thanks,
Mike

[jmestep]

I think this would be a matter of assigning users to a particular group based on the functions they will be allowed access to.

[batmike]

Thanks for the reply.

I have done that. I tested it from a user that is only allowed access to the catalog and the orders. I then manually typed in the url of the store settings page and it brought it up no problem.

[jmestep]

I just tested it on a site where I am an admin, not a super user and don't have access to the password policy. You are correct- I was able to access the password policy page by typing in the URL.
I'm going to post a bug.

[batmike]

Sounds good, let me know what you find out.

Mike

[Logan Rhodehamel]

Bug 6784. It will be investigated (and solved) today. I have an idea of what the problem is.

[Logan Rhodehamel]

http://bugs.ablecommerce.com/show_bug.cgi?id=6784

There is a proposed patch attached to the bug.

[jmestep]

I tried to add this to the bug, but it wouldn't let me:
Are you sure the new/overwrite instructions are right?
I've looked in two installs and there is no web.config in Admin\Store
But there is a web.config already here:
Admin/Store/Security/Web.config

[Logan Rhodehamel]

I reversed them. The store/security file was the one that already exists. The other three files are new. I added a comment on the bug to that effect.