Some users have been able to able to access the Teller
and Admin pages. Setting my own account to member
level I was unable to do so.
What I believe was occuring was that when someone who
was not previously in the database logged in, the check
for their "level" was useless because the variable was
left undefined. The auth system specifically
restricted those with a level of "0", so I believe
those with an undefined level were allowed access.
I've put in a check to see if the level is set and deny
access to anyone whos level is not set.
Were any older members also able to access pages they
should not be able to?
Logged In: YES
user_id=987725
This should now be 'mostly' fixed. If a users name is not
found in the database they will no longer have access to the
main Teller and Admin pages. However everyone, including
those not authenticated in anyway, can type in the URL of
any admin function and succesfully bring up a page. To my
knowledge there is no way (at least no easy way) to actually
enter any data into the function so nothing happens.
It is something work stopping anyway of course. I'd like to
stick everything back into auth.php. The current pieces in
the admin and teller pages were put there in something of a
hurry.