[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 15:15:08 GMT 2006 

Wait a minute, on the Manage Bookmarks page, there is actually a Delete 
link AND a checkbox with a form submit!  Does that seem redundant to 
anyone else?

Ryan Scheuermann

----
Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com



Ryan Scheuermann wrote:
> I'm not in agreement either way, but here's a proposed solution for 
> getting rid of the GET delete requests:
>
> Drop the buttons for "Delete" completely and make checkboxes for each, 
> with a "Delete Posts" submit button on the bottom of the page?  We 
> already do this on the Manage Bookmarks page and it's actually more 
> user-friendly because you can delete multiple posts/pages at once.  
> Plus, it slightly curbs people with Javascript disabled or JS problems 
> from accidentally clicking the "Delete" button and with no 
> confirmation popup from "poof" post gone, sorry.  And that would also 
> remove the need for the AJAX list management code, or we could still 
> use AJAX for the form submit...
>
> As for approving comments from emails, either do what Ryan Duff is 
> suggesting:
>
>    What about a hash appended to the link that is generated when the
>    email is sent? To delete it via a single click it would require the
>    hash to match. The other POST method could be used in the admin
>    interface for security there.
>
>    The only person that would get the hash would be the email
>    recipient, removing the risk of anybody being able to craft a link
>    and cause you to delete something with a single click.
>
> Or, we don't allow approving comments from emails, but we provide a 
> link to WP Admin where you can (using a POST).  I don't know, I'm all 
> about the aesthetically pleasing GUI, but this seems a little trivial 
> for something that can be accomplished with REST and still be 
> aesthetically pleasing with checkboxes.
>
> Ryan Scheuermann
>
>
> ----
> Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>

More information about the wp-hackers mailing list