Closed (fixed)
Project:
Node Reference URL Widget
Version:
6.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
3 Mar 2010 at 05:23 UTC
Updated:
19 Mar 2010 at 08:00 UTC
For secutrity & integrity purposed:
Should we require that users not be able to hack the URL, why not use the POST rather than GET?
This is somehow related to: Populate multiple fields through the URL
With Regards
Comments
Comment #1
bakr commentedJust for a note:
The URL-Hackability is exhibited through the Prepoulate module as well.
Comment #2
quicksketchPOST shouldn't be used for something like this considering it's not an "action" (like saving a form), and besides it doesn't prevent "hacking" the URL anyway for any user that may have malicious intent and a Firefox extension like Tamper Data. In any case, it doesn't hurt that the user can change the URL, because Node Reference won't let the node be saved if it is an invalid reference. Node Reference URL doesn't provide any additional security, it just saves the user from typing in or selecting a node.
Comment #3
bakr commentedHmm, that is more educating. very insightful.
Really thanks for the digest.
I was coming from an earlier web development background, when I was relying on a closed inline session that does not expose any thing to the cookies, where I functionally had sometimes to pass few parameters from one form to another... so far so good.
Node Reference URL is mainly used for node references. (which is primary hack safe like you said)
Some time we need to pass certain action parameters which are valid from system perspective,
Other times we need to have an extra check, to ensure not only the referencing validity, but also the conformance of certain data pattern (This is where I do not want user hacking the URL at all)
Unfortunately I do not program in php, rather I am a lasso developer (lassosoft.com)
With Best Regards
Comment #4
quicksketchIf you'd like to do a special restriction of referenceable nodes, you can use the option to restrict the list of nodes to a View. This allows you to do advanced restrictions like only allowing nodes to be referenced if a user has a certain role or the node has a certain property.
However, this functionality is again not specifically related to this module, which just makes links a prepopulates the URLs. The fact that the user can "hack" the URL is no more dangerous than the fact that they can change the URL from "node/1" to "node/2", or type in any URL they want anyway. Security is provided once the user is actually on the page, such as showing a 403 error or not allowing the value to be prepopulated or saved.
Comment #5
bakr commentedVery sensible, this settles the brainstorm down.
Especially when you refered that:
Thanks again for the quick and logical sketch!
Bakr