How do I disable or restrict access to /dev/reset on a production site? I tried removing all of the servers in Director::set_dev_servers and setting Director::set_environment_type("live");. I can still access /dev/reset, which means a visitor can can delete the entire site. Please advise!
We've moved the forum!
Please use forum.silverstripe.org for any new questions
(announcement).
The forum archive will stick around, but will be read only.
You can also use our Slack channel
or StackOverflow to ask for help.
Check out our community overview for more options to contribute.
From a look at the source for sapphire/dev/DevelopmentAdmin.php, users only have access to this anything in dev/ if you're either logged in as a user with ADMIN rights, or the site's in development mode. Are you sure you're not logged into your site as admin? Once you've checked that, I suggest you check that the production site isn't in dev mode, perhaps by using Debug::show(Director::isDev()) in a page controller. Once you've ruled that out, make sure your security groups only have ADMIN rights when you expect this.
Toby
Being logged in was it. I had IE open for days and it did not cleanly log me out. Restarting IE solved it.
Get yourself a real browser.