[typo] Visible admin urls?

Pawel Szymczykowski makenai at gmail.com
Mon Mar 20 14:31:00 EST 2006

Hi all,

I was looking at my logs today and noticed a bunch of hits like this: - - [20/Mar/2006:08:41:01 -0800] "GET
/articles/tag/credit HTTP/1.1" 200 9386 "-" "Java/1.5.0_06" "-" - - [20/Mar/2006:08:41:29 -0800] "GET
/admin/content/edit/38 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-" - - [20/Mar/2006:08:41:32 -0800] "GET
/admin/content/edit/39 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-" - - [20/Mar/2006:08:41:35 -0800] "GET
/admin/content/edit/34 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-" - - [20/Mar/2006:08:41:37 -0800] "GET
/admin/content/edit/37 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-"

(Nevermind that this particular bot doesn't seem to follow robots.txt)

It kind of freaked me out, so I looked into the issue a little bit
more and noticed this in the code:

<div class="post" onmouseover="if (getCookie('is_admin') == 'yes') {
Element.show('admin_article'); }" 
onmouseout="Element.hide('admin_article');" >
  <a href="/admin/content/edit/44" class="admintools"
id="admin_article" style="display: none">edit</a>

Is there any reason this stuff should be visible to someone who isn't
even logged in? Can't we hide it server side or something? OK - bad
idea because of the caching - but how about at least obscuring the
link with javascript or something? I don't mean something spammy with
lots of string concatenation, but how about just a function in a
peripheral .js file that does a document.write of the link?

I realize that the link won't do anything without authentication (as
shown in the redirect from the logs), but it still makes me a little
bit paranoid that it's there. Why show all of your houseguests the
exact location of the floor safe if you don't have to?

OK. That's all - sorry, I'm going to take a deep breath and calm down.
Am I overreacting, or does anyone else find this a bit scary?

Thanks for listening.


More information about the Typo-list mailing list