> The check is done at the server side. So even if the user creates new > buttons or does whatever, the security measures are taken server-side > and only those buttons instantiated by the server (or more > specifically, signals that get exposed), can trigger Wt code.
I see. You do not have access to the slot. Nice... did not think about that... However... let's say that you have two users. (At the moment I know, only admin can add posts, but let's presume you would add more users). First user retrieves for editing his own post. Then when saving he could impersonate the other user by sending to save a post of the first user (changing the ID of the object). Or is it the ID not part of the http message when you save a post. If not how are the objects identified? Is there a hash value generated that would make impossible to send random ID's etc? Koen, maybe it is nonsense what I am discussing, but would not mind to get references to how this is implemented... Of course I could spend some hours looking at the code... etc. > Nevertheless, we take security seriously, I am convinced. However I am sure that challenging it time to time gives more confidence both to the community and you. > convinced that there is a security problem and think of a way of > triggering it, you can easily convince us by demonstrating it ? I would be more than happy to do that, but due to lack of time do not know when... I even had to skip the beer event. By the way.. did you meet guys? I think it is also not bad to clarify this as a pattern, as probably one would tend to add extra athorisation code in methods like the savePost. rgrds, mobi phil being mobile, but including technology http://mobiphil.com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
