Code

Changes between Version 2 and Version 3 of CookBookManipulatorWithHiddenFields


Ignore:
Timestamp:
09/16/05 10:52:48 (9 years ago)
Author:
L.Plant.98@…
Comment:

security related improvement

Legend:

Unmodified
Added
Removed
Modified
  • CookBookManipulatorWithHiddenFields

    v2 v3  
    8383 
    8484Enjoy! 
     85 
     86''This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do.  In this case you could then spoof the user doing the post.  A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use.  Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)''