[pLog-svn] r7015 - plog/branches/lifetype-1.2/js/ui

Jon Daley plogworld at jon.limedaley.com
Sun Aug 1 22:33:43 EDT 2010


On Mon, 2 Aug 2010, Reto Hugi wrote:
> I was thinking about those Blog communities that Mark was working on
> some time ago, with lot's of content "creators". But fair enough, it's
> only the admin side.
 	Yes, I occasionally hear about large communities, but I just 
haven't worked on any of their code.

>>> Please have a look at the /class/data/nonce.class.php (not the
>>> randomizer - yours is better)
> Well, acutally I thought that the nonce creation class would have been
> nicer, than just creating the token inside the plugin code - that was my
> point :)
 	True, that is good.

> The "insecure" part on the implementation is the $protected array, which 
> may miss newly added actions and the fact that the token is fixed for a 
> session.
 	Yeah, I'm not sure how to fix the newly-added actions part.  If 
you have any ideas about that, that'd be good.  I don't want to fix the 
second.
 	I was thinking about it tonight, and wondering what it would be 
like to add the nonce on the javascript/client side, so then the template 
parsing would not be server-side, and so the load would be lower, and it 
would also fix the plugin issue, at least partly - in that the links could 
have the nonce added.  The values would still need to be validated on the 
other side.

> my aproach involved much more work but it treats csrf protection just as 
> we treat any other validation, so it's more kind of a "native" aproach.
 	True, and if we could get it in the adminaction base class, then 
it'd be great.

> True. Although the problem is, that I'm not running the latest svn code
> - heck, I'm still on 1.2.8!
 	Hmmm...  Though I'd still venture to guess that you could just 
replace the adminloginaction and add the plugin and be good to go.  If you 
don't care about dynamically adding categories on the newpost page, you 
can ignore those changes.

-- 
Jon Daley
http://jon.limedaley.com
~~
No matter where you go,
there you are.
-- Buckaroo Bonzai


More information about the pLog-svn mailing list