For secutrity & integrity purposed:

Should we require that users not be able to hack the URL, why not use the POST rather than GET?

This is somehow related to: Populate multiple fields through the URL

With Regards

Comments

bakr’s picture

Just for a note:

The URL-Hackability is exhibited through the Prepoulate module as well.

quicksketch’s picture

POST shouldn't be used for something like this considering it's not an "action" (like saving a form), and besides it doesn't prevent "hacking" the URL anyway for any user that may have malicious intent and a Firefox extension like Tamper Data. In any case, it doesn't hurt that the user can change the URL, because Node Reference won't let the node be saved if it is an invalid reference. Node Reference URL doesn't provide any additional security, it just saves the user from typing in or selecting a node.

bakr’s picture

Hmm, that is more educating. very insightful.

Really thanks for the digest.

I was coming from an earlier web development background, when I was relying on a closed inline session that does not expose any thing to the cookies, where I functionally had sometimes to pass few parameters from one form to another... so far so good.

Node Reference URL is mainly used for node references. (which is primary hack safe like you said)

Some time we need to pass certain action parameters which are valid from system perspective,
Other times we need to have an extra check, to ensure not only the referencing validity, but also the conformance of certain data pattern (This is where I do not want user hacking the URL at all)

Unfortunately I do not program in php, rather I am a lasso developer (lassosoft.com)

With Best Regards

quicksketch’s picture

Category: feature » support
Status: Active » Fixed

Other times we need to have an extra check, to ensure not only the referencing validity, but also the conformance of certain data pattern (This is where I do not want user hacking the URL at all)

If you'd like to do a special restriction of referenceable nodes, you can use the option to restrict the list of nodes to a View. This allows you to do advanced restrictions like only allowing nodes to be referenced if a user has a certain role or the node has a certain property.

However, this functionality is again not specifically related to this module, which just makes links a prepopulates the URLs. The fact that the user can "hack" the URL is no more dangerous than the fact that they can change the URL from "node/1" to "node/2", or type in any URL they want anyway. Security is provided once the user is actually on the page, such as showing a 403 error or not allowing the value to be prepopulated or saved.

bakr’s picture

Very sensible, this settles the brainstorm down.

Especially when you refered that:

Security is provided once the user is actually on the page

Thanks again for the quick and logical sketch!

Bakr

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.