Hi Olivier, I think the point is, that you could save the form locally, change the hidden field value , and edit/overwrite other entries in the database.
Asume there is some data ACL here´s a real E.g. Access http://www.noswad.me.uk/tutorials/posts/edit/9 save the form locally set the form action to be an absolute url change the hidden field value to "1" submit the form And you just edited entry number 1. If we make the assumption that the user had access to edit post 9, they just got around the restriction. This is just a trivial example to demonstrate the question raised. It raises another problem, which I´ve been pondering for a little while I might aswell chip in: If someone knows the name of a database field they shouldn´t have access to edit, they can easily save an edit a form and update fields. I´m still thinking about generic solutions to this generic problem ;) Cheers, AD7six --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
