First i wanted to post this in the Bugs Forum, but i am not sure if i do something wrong or it can be done in a different way.
Because guests do not have any rights on my site i removed all permissions for them in page builder.
After i found out, that they still can access all modules by entering the urls (deep links) in their browser i added url rules to all these pages in Page Access Control. Everything worked fine until today when i wanted to upload photos. (Only tested for photos yet, same should be for videos etc.)
While uploading them, the lower part where you can fill out the description showed the usual access denied information. If i remove the "guest forbidden url rule" to /m/photos/.* its working again. I am not a guest so why the rule effects me? Is it because javascript or flash is being used to upload files and they do not interact with the rest of the security system?
Currently i don't know how to protect my site against guests which access with deep links. So how i can achieve this? It feels like the whole system can be compromised if you know what to enter in the adressbar of your browser.
