[pLog-svn] r6086 - in plog/branches/lifetype-2.0-csrf: class/action/admin class/data class/data/validator templates/admin
Oscar Renalias
oscar at renalias.net
Fri Nov 30 13:46:52 EST 2007
>> How are we planning to solve these limitations?
>
>>> limitations:
>>> - it doesn't work with javascript enabled ATM.
>
> I implemented it for post requests. but the ajax implementation only
> uses get requests. I don't know yet how hard it is to validate
> subsequent ajax requests without a page reload (the generated nonce,
> added to all the article links is invalid after the first delete
> action.
> What about subsequent delete actions on other articles from the list?)
>
> This is probably the hardest part of it...
It might be the hardest, but it's also the most needed one as the UI
in 2.0 relies heavily on Ajax...
>>> - it doesn't work with GET requests (i.e. klicks on the delete
>>> icons)
>
> adding the nonce parameter to each request. It's quite a bit of
> work, I
> know. But we build all the requests in the templates, so that's
> where we
> need to add that parameter.
How about an AdminRequestGenerator class? It doesn't have to do much,
just provide 'admin.php?nonce=XXX' and let the template do the rest.
But modifying all admin templates is indeed a bit of work.
>>> - only works on the deletepostaction
>
> this is just my choice for the PoC. It should be added to all relevant
> actions.
Iscar
More information about the pLog-svn
mailing list