[wp-hackers] Security at Wordpress

[David Chait]

Is it allowed to require a AYS (i.e. POST-ed form) to validate the approval? 
Otherwise, I gotta agree with folks, we seem to be specifically leaving open 
a 'GET hole', which breaks the whole "switch to POSTs everywhere they should 
be".

I'd personally prefer the moderate-by-email thing take me to the 
comments-for-that-post page, and let me then moderate from there.  I find I 
don't necessarily want to just approve/delete, I want to see the context of 
comments.  And then that page would (of course) be moving to POST-ed 
actions...

-d

----- Original Message ----- 
Owen Winkler wrote
| If someone can offer a patch that switches actions to POST I would be
| happy to see it, provided:
|
| 1) It doesn't affect the ability to moderate comments via GET links in
| email notifications.