Some things really scare me: I was checking my
sitemap.xml file as an unauthenticated user and I found I could reach some default pages which I didn’t think I could. However couldn’t find any role/permission setting to disable and/or restrict access. It looks to be like an issue, and I could access pages of users in this community who’s website I could easily recognize as ERPNext instances. Some pages even returned me some error logs, revealing files and folder structure which I don’t think is a good idea showing.
But mostly, it’s having access to some portal pages where access should not be allowed at all for anything related to portal, no matter how secure/insecure. Being able to access the demo page and stuff… I don’t think it should be possible.
I thought these guys might have some poor configured servers, but that happens on your demo site, no matter if I’m logged or not (well, all but the demo thing… I do think it’s working for a reason there Here are some accessible uri which returned me some unwanted feedback:
project profile message cart_terms => returns error log complete_signup => returns invalid api call search cart product_search => returns list of products and I can access them demo task_info => returns uncaught server exception log timelog_info => returns uncaught server exception log partners list courses order => returns uncaught server exception log job_application tasks discussion all-item-groups/products all-item-groups/products/[items-discovered]
I think there should be a lot more control over pages and routes and maybe it’s just ignorance by my side. Can anybody point me to where I can effectively restrict access to what I explicitly make available publicly?