1) I noticed that securesite_filter_check() is only called for non-logged in user. And for logged in user, it always check 'access site' user access. How about if logged in user is just trying to access a "bypassed" page, in that case, I don't think the logged in user should need 'access site'.

2) Also, 'access site' check is only done for logged in user. Would it be more consistent to check 'access site' for non-logged user as well? Since 'access site' option is available to anonymous on the User Management -> Access control page.

Thanks!

Comments

junyor’s picture

Status: Active » Closed (works as designed)

1) The permissions system should really be used for authenticated users rather than the Secure Site bypass feature.

2) It doesn't make sense to give anonymous users the "access site" permission, since they'll need to enter a username and password (which they don't have) to authenticate. That's why we have the guest user feature.