[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 21 21:34:16 GMT 2006
#2678: Nonces instead of referers
----------------------------+-----------------------------------------------
Id: 2678 | Status: new
Component: Administration | Modified: Fri Apr 21 21:34:16 2006
Severity: normal | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: ringmaster
----------------------------+-----------------------------------------------
Comment (by ringmaster):
Yes. All state changing admin requests (via form or link) should include
nonces, and all code that performs those changes should be protected by a
matching check_admin_referer(). Pages that don't perform such changes
shouldn't include check_admin_referer(), since it will make it
unnecessarily difficult to link to those pages.
Perhaps an optional second argument to check_admin_referer() that would
help it decide what to do in the event of a failure? That way, admin
panels like the comment approval/deletion could supply their own
confirmation dialogs. Perhaps it could be like:
{{{
if(check_admin_referer('confirmdeletecomment', true)) {
// delete comment
}
else {
// display custom confirmation
}
}}}
Thoughts?
--
Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list