[wp-hackers] Security at Wordpress
ryan at concept64.com
Mon Apr 24 15:15:08 GMT 2006
Wait a minute, on the Manage Bookmarks page, there is actually a Delete
link AND a checkbox with a form submit! Does that seem redundant to
Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com
Ryan Scheuermann wrote:
> I'm not in agreement either way, but here's a proposed solution for
> getting rid of the GET delete requests:
> Drop the buttons for "Delete" completely and make checkboxes for each,
> with a "Delete Posts" submit button on the bottom of the page? We
> already do this on the Manage Bookmarks page and it's actually more
> user-friendly because you can delete multiple posts/pages at once.
> from accidentally clicking the "Delete" button and with no
> confirmation popup from "poof" post gone, sorry. And that would also
> remove the need for the AJAX list management code, or we could still
> use AJAX for the form submit...
> As for approving comments from emails, either do what Ryan Duff is
> What about a hash appended to the link that is generated when the
> email is sent? To delete it via a single click it would require the
> hash to match. The other POST method could be used in the admin
> interface for security there.
> The only person that would get the hash would be the email
> recipient, removing the risk of anybody being able to craft a link
> and cause you to delete something with a single click.
> Or, we don't allow approving comments from emails, but we provide a
> link to WP Admin where you can (using a POST). I don't know, I'm all
> about the aesthetically pleasing GUI, but this seems a little trivial
> for something that can be accomplished with REST and still be
> aesthetically pleasing with checkboxes.
> Ryan Scheuermann
> Concept 64, Inc. | Phone: 610.349.0703 | Web: www.concept64.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers