[wp-hackers] Ajax calls and cookie within the admin

Austin Matzko if.website at gmail.com
Mon Feb 23 20:57:48 GMT 2009


On Mon, Feb 23, 2009 at 2:36 PM, L'Autre Monde <autremonde75 at gmail.com> wrote:
> Ok but then, what do I need to perform to secure my ajax handler on the
> server side? Is there a method to check the cookie validity? Is the nonce
> verification enough?

No, nonces are meant mainly to prevent XSS attacks[1].  You need also
to check the capabilities of the user making the Ajax request.  What
you check depends on what the person is doing.  For example, if it has
to do with changing post data, you might check whether that user can
edit posts in general:

if ( current_user_can('edit_posts') ) {
}

or a particular post, in this case one with the ID of 123:

if ( current_user_can('edit_post', 123) ) {

}

[1] http://en.wikipedia.org/wiki/Cross-site_scripting


More information about the wp-hackers mailing list