You could use ACL to prevent that action from being executed (from
anyone other than admins).
Another thing is that you should use POST requests for anything that
affects the database and GET requests for passive actions. That way
you have a little more assurance that the db changing requests are
coming from your site (if you check for it).
I think there is some sort of security component to help with this.
On Sep 16, 9:45 pm, beetlecube <[EMAIL PROTECTED]> wrote:
> I realized humorously, that my delete links for the posts on my mini-
> discussion board were clearly showing in the status bar:
> "www.mysite.com/index.php/posts/delete/45".
>
> So of course even though the delete link only shows up only for posts
> where post.userid = session[userid], if you are a user who has half a
> brain, you would eventually see the URL on the status bar and you
> could just type it in manually to delete any post you want that other
> people posted.
>
> So along with setting the status="" attribute for each "href", I
> realized I need to add to my controller's code for the delete()
> function:
>
> If ( $session->read('userid') = $data->post[userid] )
>
> Would you do even more than that, to prevent unwanted post deletions?
>
> Steve
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
