[wp-hackers] Is disabling remote client access a good idea?
wordpress at santosj.name
Wed Jun 25 12:40:45 GMT 2008
Yeah, that is somewhat difficult because it really falls under
acceptance testing. I've heard of a HTTP proxy for PHPUnit, which
simulates the HTTP environment, but I really think you have to do it
live over HTTP to be accurate. Generally, if it did do it the functional
testing way, then it would take forever to run with all of the latency
of HTTP and having to do it many times. Saver to probably try to get as
much done with just one HTTP request as possible.
Ryan McCue wrote:
> DD32 wrote:
>> The way they've been more vulnerable in the past has not been
>> checking the username/password, but rather, if the user could perform
>> the action AFAIK.
>> (Eg, A Subscriber signs up, can pass the user login stage, Next is
>> checking that the user has all the permissions to do a certain
>> action, In the admin section, this is pretty complicated, Then you
>> need to duplicate all the security checks in XMLRPC.. etc)
> In my opinion, this just means that we need more regression testing,
> especially for XML-RPC. If we had automated regression testing, then
> this would not be a factor.
More information about the wp-hackers