I have used something like this : http://bakery.cakephp.org/articles/view/secureget-component
On Sep 23, 4:02 pm, "Mike Green" <[EMAIL PROTECTED]> wrote: > This includes getting bob to look at a page, with an img tag that > links to the site, such as > > <img src="http://www.mysite.com/index.php/posts/delete/bobsPostID" > width="0" height ="0" border ="0"> > > could even tinyurl it! > > On 18/09/2007, beetlecube <[EMAIL PROTECTED]> wrote: > > > > > > > Thanks for the replies, very helpful. > > > On Sep 17, 1:31 am, AD7six <[EMAIL PROTECTED]> wrote: > > > On Sep 17, 6:45 am, beetlecube <[EMAIL PROTECTED]> wrote: > > > > > I realized humorously, that my delete links for the posts on my mini- > > > > discussion board were clearly showing in the status bar: > > > > "www.mysite.com/index.php/posts/delete/45". > > > > > So of course even though the delete link only shows up only for posts > > > > where post.userid = session[userid], if you are a user who has half a > > > > brain, you would eventually see the URL on the status bar and you > > > > could just type it in manually to delete any post you want that other > > > > people posted. > > > > > So along with setting the status="" attribute for each "href", I > > > > realized I need to add to my controller's code for the delete() > > > > function: > > > > > If ( $session->read('userid') = $data->post[userid] ) > > > > > Would you do even more than that, to prevent unwanted post deletions? > > > > The above would prevent another user from directly deleting posts that > > > are not their own. But there should be access control of some kind on > > > every url (are these urls only accessible to logged in uses? hope so) > > > that does something. > > > > You might want to consider the fact that with nothing else in place a > > > malicious user can get bob to delete his own posts just by looking at > > > a page with a link of any kind > > > towww.mysite.com/index.php/posts/delete/bobsPostId > > > whilst logged in to your site. > > > > More info:http://en.wikipedia.org/wiki/Cross-site_request_forgery(PDF > > > referenced is a good > > > read)http://www.ad7six.com/MiBlog/capabilityBasedSecurity > > > > hth, > > > > AD > > -- > ------------------------------------ > Mike Green > > Find yourself some misspelled ebay bargains!http://www.typingwand.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---