On Sep 17, 6:45 am, beetlecube <[EMAIL PROTECTED]> wrote:
> I realized humorously, that my delete links for the posts on my mini-
> discussion board were clearly showing in the status bar:
> "www.mysite.com/index.php/posts/delete/45".
>
> So of course even though the delete link only shows up only for posts
> where post.userid = session[userid], if you are a user who has half a
> brain, you would eventually see the URL on the status bar and you
> could just type it in manually to delete any post you want that other
> people posted.
>
> So along with setting the status="" attribute for each "href", I
> realized I need to add to my controller's code for the delete()
> function:
>
> If ( $session->read('userid') = $data->post[userid] )
>
> Would you do even more than that, to prevent unwanted post deletions?
The above would prevent another user from directly deleting posts that
are not their own. But there should be access control of some kind on
every url (are these urls only accessible to logged in uses? hope so)
that does something.
You might want to consider the fact that with nothing else in place a
malicious user can get bob to delete his own posts just by looking at
a page with a link of any kind to
www.mysite.com/index.php/posts/delete/bobsPostId
whilst logged in to your site.
More info:
http://en.wikipedia.org/wiki/Cross-site_request_forgery (PDF
referenced is a good read)
http://www.ad7six.com/MiBlog/capabilityBasedSecurity
hth,
AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
