Thanks for the replies, very helpful. On Sep 17, 1:31 am, AD7six <[EMAIL PROTECTED]> wrote: > On Sep 17, 6:45 am, beetlecube <[EMAIL PROTECTED]> wrote: > > > > > I realized humorously, that my delete links for the posts on my mini- > > discussion board were clearly showing in the status bar: > > "www.mysite.com/index.php/posts/delete/45". > > > So of course even though the delete link only shows up only for posts > > where post.userid = session[userid], if you are a user who has half a > > brain, you would eventually see the URL on the status bar and you > > could just type it in manually to delete any post you want that other > > people posted. > > > So along with setting the status="" attribute for each "href", I > > realized I need to add to my controller's code for the delete() > > function: > > > If ( $session->read('userid') = $data->post[userid] ) > > > Would you do even more than that, to prevent unwanted post deletions? > > The above would prevent another user from directly deleting posts that > are not their own. But there should be access control of some kind on > every url (are these urls only accessible to logged in uses? hope so) > that does something. > > You might want to consider the fact that with nothing else in place a > malicious user can get bob to delete his own posts just by looking at > a page with a link of any kind > towww.mysite.com/index.php/posts/delete/bobsPostId > whilst logged in to your site. > > More info:http://en.wikipedia.org/wiki/Cross-site_request_forgery(PDF > referenced is a good read)http://www.ad7six.com/MiBlog/capabilityBasedSecurity > > hth, > > AD
--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---