Think Security
by
02 Apr 2003
I can't believe how many people are credibly suggesting this. Example: Let's say you don't want to allow unregistered members to view the smilies page. Your solution could be to use a conditional templates hack and just remove all references to that page for guests. However, anybody who knows the URL to the page can just load it himself. That may sound trivial, but here's another example. Let's say you have a moderator area that allows mods to quickly prune posts in a given forum. You use the above method and the same problem: anybody could figure out the URL and do whatever they want. So, in summary, always, no exceptions ever do permission checking both when displaying certain parts of a UI and when actually executing the user's request. |