Usergroup: Customer
Joined: Aug 29, 2003
Total Topics: 1
Total Posts: 1
Posted 10/20/04 - 11:04 AM:
#1
Clean install of 3.12 - admin login is always displayed even when not logged in. I'm guessing that's not supposed to happen (wrapper.tpl):
Admin Control Panel
Also, it would be a good security to measure to change default admin directory which is offered in Settings... Configuration, but 'admin/' is hardcoded throughout the code (e.g. email notificaiton) so it ain't much use. Could this be addressed in a future version?
Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 55
Total Posts: 5703
Posted 10/22/04 - 01:13 AM:
#2
I'm guessing that's not supposed to happen
Why would you guess that? By default, it's best to let people see how to get to their admin panel on a new install. If there were no admin panel link to be seen, people would simply get confused. Anyone who wishes to hide it from non-admins may simply do so.
it would be a good security to measure to change default admin directory
Not at all. If someone has access to an admin account they can do plenty of damage from the non-admin directory. (Of course, only possible if you don't use the IP restriction security feature in addition to using a password that someone can acquire/guess.) The option is there for people who have to change it due to their website admin panel conflicting.
'admin/' is hardcoded throughout the code (e.g. email notificaiton)
Email notifications aren't 'hardcoded', they're language items. Appears to be in just 2 of them, may alter them at some point but language does not get changed on upgrade anyway so you won't notice.
Print
admin login always displayed