| Project: | Advanced Book Blocks |
| Version: | 6.x-2.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Although the fix in the recent security release does protect against third-party CSRF attacks, it would be preferable to provide a confirmation form for these actions for a few reasons:
1.) Manipulating data using GET requests can cause unintentional data loss when using accelerators / pre-fetchers. According to strict HTTP standards, a GET request should never affect data. See, for example: http://37signals.com/svn/archives2/google_web_accelerator_hey_not_so_fas...
2.) The use of the 'ID-token' pattern in the URL, while effective, is not a usual pattern. Ideally the URL path should specify the intended resource only, and meta-data or actions should be passed as separate variables.
3.) Providing a confirmation for is very easy, since drupal provides the confirm_form() function. For an example of it's use, see, http://api.drupal.org/api/function/node_delete_confirm/6
Thanks for fixing the security issue. I hope this additional suggestion will help avoid bugs and continue to improve the quality of the code.