[ic] Interchange Web Administration .....
Scott Fletcher
interchange-users@lists.akopia.com
Fri Jul 13 16:55:00 2001
> I tried the direct access attempt without logging in and it did stop
me
>from using the webpage without logging in. So, that is a good sign!
However,
>I'm a little confuse about why when I use the URL address,
>"http://whatever.com/cgi-bin/shopcart/admin/index.html", it showed the
front
>page of the admin page and no login page. What I mean by that is when you
>log in, then you are brought to the front page of the admin page. In this
case,
>no login prompt and it show the front page as if you had already logged in
which
>in fact I wasn't!
I believe I found the problem! There seem to be some security
breach in the Interchange software. When I start up a web browser, I can
type in the url address,
"http://whatever.com/cgi-bin/chopcart/admin/index.html". It automatically
goes to the login.html page. However, when I use the javascript,
"window.open("http://whatever.com/cgi-bin/chopcart/admin/index.html","",....
........);"
You're email just came in while I was writing this code, so I'll add
it to this.
>have you removed:
>
>@_UI_STD_HEAD_@
>
>from the file?
>
>this includes code to handle the access control.. a snip:
>
>[if-mm !logged_in]
> [if !scratch no_login_required]
> [bounce page="__UI_BASE__/login"]
> [/if]
>[/if-mm]
I checked the code in the index.html and it include the
"@_UI_STD_HEAD_@" and I didn't modified the code in the index.html at all.
It seem that the pop-up window render the "@_UI_STD_HEAD_@" ineffective
somehow.
Scott