[wp-hackers] Rethinking check_admin_referer()
wp-hackers at paul-mitchell.me.uk
Wed Apr 19 17:06:52 GMT 2006
Brian Layman wrote:
> Mark Jaquith wrote:
>> 3) if HTTP referer isn't from the admin, present "are you sure" dialog
> This would also have the advantage of moving the AYS dialog call into the
> actual deletion function. The reason I was able to delete a post without
> any notice to the admin is that they AYS prompt is totally independent of
> the hyperlink that actually triggers the deletion.
I would prefer that $_GET['action']=='deletepost' present the AYS form
that submits $_POST['action']=='deletepost' to do the dirty work, which
allows the client-side AYS JS to be discarded.
More information about the wp-hackers