[pLog-svn] r6086 - in plog/branches/lifetype-2.0-csrf: class/action/admin class/data class/data/validator templates/admin

Reto Hugi plog at hugi.to
Thu Nov 29 12:45:18 EST 2007


On 11/29/2007 08:46 AM, Oscar Renalias wrote:

> How are we planning to solve these limitations?

>> limitations:
>> - it doesn't work with javascript enabled ATM.

I implemented it for post requests. but the ajax implementation only
uses get requests. I don't know yet how hard it is to validate
subsequent ajax requests without a page reload (the generated nonce,
added to all the article links is invalid after the first delete action.
What about subsequent delete actions on other articles from the list?)

This is probably the hardest part of it...

>> - it doesn't work with GET requests (i.e. klicks on the delete icons)

adding the nonce parameter to each request. It's quite a bit of work, I
know. But we build all the requests in the templates, so that's where we
need to add that parameter.

>> - only works on the deletepostaction

this is just my choice for the PoC. It should be added to all relevant
actions.

reto


More information about the pLog-svn mailing list