Thanks for the replies, very helpful.
On Sep 17, 1:31 am, AD7six <[EMAIL PROTECTED]> wrote:
> On Sep 17, 6:45 am, beetlecube <[EMAIL PROTECTED]> wrote:
>
>
>
> > I realized humorously, that my delete links for the posts on my mini-
> > discussion board were clearly showing in the status bar:
> > "www.mysite.com/index.php/posts/delete/45".
>
> > So of course even though the delete link only shows up only for posts
> > where post.userid = session[userid], if you are a user who has half a
> > brain, you would eventually see the URL on the status bar and you
> > could just type it in manually to delete any post you want that other
> > people posted.
>
> > So along with setting the status="" attribute for each "href", I
> > realized I need to add to my controller's code for the delete()
> > function:
>
> > If ( $session->read('userid') = $data->post[userid] )
>
> > Would you do even more than that, to prevent unwanted post deletions?
>
> The above would prevent another user from directly deleting posts that
> are not their own. But there should be access control of some kind on
> every url (are these urls only accessible to logged in uses? hope so)
> that does something.
>
> You might want to consider the fact that with nothing else in place a
> malicious user can get bob to delete his own posts just by looking at
> a page with a link of any kind
> towww.mysite.com/index.php/posts/delete/bobsPostId
> whilst logged in to your site.
>
> More info:http://en.wikipedia.org/wiki/Cross-site_request_forgery(PDF
> referenced is a good read)http://www.ad7six.com/MiBlog/capabilityBasedSecurity
>
> hth,
>
> AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
