[wp-hackers] Rethinking check_admin_referer()

Paul Mitchell wp-hackers at paul-mitchell.me.uk
Wed Apr 19 17:06:52 GMT 2006


Brian Layman wrote:
> Mark Jaquith wrote:
>   
>> 3) if HTTP referer isn't from the admin, present "are you sure" dialog
>>     
> This would also have the advantage of moving the AYS dialog call into the
> actual deletion function.  The reason I was able to delete a post without
> any notice to the admin is that they AYS prompt is totally independent of
> the hyperlink that actually triggers the deletion.
>   
I would prefer that $_GET['action']=='deletepost' present the AYS form
that submits $_POST['action']=='deletepost' to do the dirty work, which
allows the client-side AYS JS to be discarded.

Paul



More information about the wp-hackers mailing list