[wp-hackers] Security at Wordpress

Mike Little mike at zed1.com
Mon Apr 24 12:53:02 GMT 2006

On 4/23/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> You are welcome to produce code that you feel will work better.
> WordPress has always been a "put up or shut up" environment.  If you
> feel that you can produce more satisfying code for the WordPress
> userbase, we'll adopt it when when that proves to be true.
> I think your mission is folly, but who knows?  Users might actually
> enjoy crappy-looking UI if you are able to explain to them why it's
> better, though you're not doing much convincing here.
> All of this academic discussion at the expense of productivity is a
> bore.  I think people understand the issues pretty well now.  Let's move on.

And On 4/24/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> Also note that this is a mock-up, not a patch to the code.  A patch to
> do just what we see here would probably have been less work.
> [XNP
> Strange that all of the POST proponents hadn't written a patch for this
> already - it might have been less overall work than the bluster they've
> created, and it might already have been committed by now.

You've really got a bee in your bonnet about this one, haven't you. Is
all this aggression necessary?

If you want to protest about using POST, then do so for the right reasons.

Whilst the HTTP 1.1 standard states

    "...the convention has been established that the GET and HEAD methods
    SHOULD NOT have the significance of taking an action other than retrieval."

It also goes on to say:

    "Methods can also have the property of "idempotence" in that
(aside from error or
    expiration issues) the side-effects of N > 0 identical requests is
the same as for a
    single request."

In other words, of a link *is* used to delete a post, and executing
the same request has no further side effects, then that request (link)
*is* idempotent.

It cannot have any further side effects because the post is already
deleted. If we had a "delete latest post", or "delete all drafts"
links that would be a different matter.

Mike Little

More information about the wp-hackers mailing list