[wp-hackers] Security at Wordpress
Ryan Scheuermann
ryan at concept64.com
Mon Apr 24 15:44:35 GMT 2006
Rob Mientjes wrote:
> On 24/04/06, Ryan Scheuermann <ryan at concept64.com> wrote:
>
>> Really, it's just a difference between two clicks or one. Mass delete
>> may not be "needed" but it's certainly giving the user an ability they
>> didn't have before. And it does solve the problem of making the Delete
>> action distinct from the Edit link.
>>
>
> Okay, that makes sense. You're quite right, in fact. I don't see why
> this specific change can't be implemented. This needs no confirmation
> e-mails or other silliness; post delete deserves POST.
>
> -Rob.
>
I mean, using a checkbox form for post delete solves a lot of the
current issues:
1. post/page delete uses POST and HTTP spec is not violated! hay!
2. no worries about a consistent looking form button across browsers if
there is only 1 on the bottom of the page
3. no need for nonces if the delete action requires POST
4. no security issues because links can't POST (security being the
original concern of this thread)
5. adds new functionality for mass delete of posts (even if not needed)
6. no accidental deletions with Javascript disabled/missing
7. follows a widely accepted and user-friendly model for web applications
Are there any other angles we haven't thought of?
Ryan
More information about the wp-hackers
mailing list