It's not a massive problem, but it's something that should be tidied up.
The best bet is to force admin log-in for these kinds of actions, since sometimes you want to be able to do this on the live site - to update the schema after republication, for example.
One of the issues is that we will run into at our office is that our publication script needs to be able to visit db/build without logging in.
I recommend that we set up some kind of "debug security" option in the form of a function called Security::use_debug_security();
It will
* Check that the IP requesting isn't one of the "allowed IPs"
* Otherwise, check that this current user has admin privileges
* Otherwise, redirect to the log-in page and end execution.
function doBuild($quiet = false) {
+ Security::use_debug_security();
if($quiet) DB::quiet();
else echo "<h2>Building Database</h2>";
We can add a method Security::allow_debug_security_for($ip). $ip could be:
* 192.168.0.1
* 192.168.0/24
* 192.168/16
* 192/8
This debug security option can also be used on manually switching to dev mode, viewing profile / debugging information, flushing the templates, etc.