How do I disable or restrict access to /dev/reset on a production site? I tried removing all of the servers in Director::set_dev_servers and setting Director::set_environment_type("live");. I can still access /dev/reset, which means a visitor can can delete the entire site. Please advise!
From a look at the source for sapphire/dev/DevelopmentAdmin.php, users only have access to this anything in dev/ if you're either logged in as a user with ADMIN rights, or the site's in development mode. Are you sure you're not logged into your site as admin? Once you've checked that, I suggest you check that the production site isn't in dev mode, perhaps by using Debug::show(Director::isDev()) in a page controller. Once you've ruled that out, make sure your security groups only have ADMIN rights when you expect this.
Being logged in was it. I had IE open for days and it did not cleanly log me out. Restarting IE solved it.
Get yourself a real browser.