[pLog-svn] r6086 - in plog/branches/lifetype-2.0-csrf: class/action/admin class/data class/data/validator templates/admin

Oscar Renalias oscar at renalias.net
Fri Nov 30 13:46:52 EST 2007


>> How are we planning to solve these limitations?
>
>>> limitations:
>>> - it doesn't work with javascript enabled ATM.
>
> I implemented it for post requests. but the ajax implementation only
> uses get requests. I don't know yet how hard it is to validate
> subsequent ajax requests without a page reload (the generated nonce,
> added to all the article links is invalid after the first delete  
> action.
> What about subsequent delete actions on other articles from the list?)
>
> This is probably the hardest part of it...

It might be the hardest, but it's also the most needed one as the UI  
in 2.0 relies heavily on Ajax...

>>> - it doesn't work with GET requests (i.e. klicks on the delete  
>>> icons)
>
> adding the nonce parameter to each request. It's quite a bit of  
> work, I
> know. But we build all the requests in the templates, so that's  
> where we
> need to add that parameter.

How about an AdminRequestGenerator class? It doesn't have to do much,  
just provide 'admin.php?nonce=XXX' and let the template do the rest.  
But modifying all admin templates is indeed a bit of work.

>>> - only works on the deletepostaction
>
> this is just my choice for the PoC. It should be added to all relevant
> actions.


Iscar


More information about the pLog-svn mailing list