This includes getting bob to look at a page, with an img tag that links to the site, such as
<img src="http://www.mysite.com/index.php/posts/delete/bobsPostID"; width="0" height ="0" border ="0"> could even tinyurl it! On 18/09/2007, beetlecube <[EMAIL PROTECTED]> wrote: > > Thanks for the replies, very helpful. > > On Sep 17, 1:31 am, AD7six <[EMAIL PROTECTED]> wrote: > > On Sep 17, 6:45 am, beetlecube <[EMAIL PROTECTED]> wrote: > > > > > > > > > I realized humorously, that my delete links for the posts on my mini- > > > discussion board were clearly showing in the status bar: > > > "www.mysite.com/index.php/posts/delete/45". > > > > > So of course even though the delete link only shows up only for posts > > > where post.userid = session[userid], if you are a user who has half a > > > brain, you would eventually see the URL on the status bar and you > > > could just type it in manually to delete any post you want that other > > > people posted. > > > > > So along with setting the status="" attribute for each "href", I > > > realized I need to add to my controller's code for the delete() > > > function: > > > > > If ( $session->read('userid') = $data->post[userid] ) > > > > > Would you do even more than that, to prevent unwanted post deletions? > > > > The above would prevent another user from directly deleting posts that > > are not their own. But there should be access control of some kind on > > every url (are these urls only accessible to logged in uses? hope so) > > that does something. > > > > You might want to consider the fact that with nothing else in place a > > malicious user can get bob to delete his own posts just by looking at > > a page with a link of any kind > > towww.mysite.com/index.php/posts/delete/bobsPostId > > whilst logged in to your site. > > > > More info:http://en.wikipedia.org/wiki/Cross-site_request_forgery(PDF > > referenced is a good > > read)http://www.ad7six.com/MiBlog/capabilityBasedSecurity > > > > hth, > > > > AD > > > > > -- ------------------------------------ Mike Green Find yourself some misspelled ebay bargains! http://www.typingwand.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
