[wp-trac] Re: [WordPress Trac] #3807: Admin Functions Denying Access with "You don't have permission to do that"

WordPress Trac wp-trac at lists.automattic.com
Mon Jun 4 20:18:44 GMT 2007


#3807: Admin Functions Denying Access with "You don't have permission to do that"
-----------------------------------------------+----------------------------
 Reporter:  seanwedig                          |        Owner:  anonymous   
     Type:  defect                             |       Status:  new         
 Priority:  normal                             |    Milestone:  2.4 (future)
Component:  Administration                     |      Version:  2.1         
 Severity:  major                              |   Resolution:              
 Keywords:  permissions has-patch 2nd-opinion  |  
-----------------------------------------------+----------------------------
Comment (by mdawaffe):

 It's one level of protecting against forged requests that come from the
 same domain.  Other levels include using POSTs and kses.

 If we had any GET based AJAX requests, for example, someone could write a
 link that when clicked would add something to the blogroll (or whatever)
 since the admin cookie would be there in $_COOKIE.

 Requiring that the cookie also be found in $_REQUEST and only handling
 POST AJAX requests ensures that all requests come either from a form or
 from JS, both of which are removed by kses.

 That's why.  What you mention is the why not :)

 I think we can shift to using nonces now that we have them.  In fact, most
 of the AJAX stuff we do is parallel to normal form POSTs and so a nonce is
 already available for most things.  Also, I think autosave has a JS
 function which could be mooshed into requesting fresh nonces for whatever
 we need.   It should get a security review and be included as a method in
 the wpAjax JS object.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3807#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list