[thesite] Bug?

jeff jeff at members.evolt.org
Sun Dec 3 11:36:57 CST 2000


: From: David McCreath
: I don't know if this constitutes a bug, but while
: playing around with some of the comment
: documents, I was trying to find the comment
: search (which I still haven't found... is it an
: admin function?).


it's not really an admin function, but it's also not fully developed yet
either.  i'm still having some issues with the search functionality.

: Anyway, while looking at a comment, I started
: plugging actions into the query string based on
: app_comment to try to get to the comment search.
: So I tried "delete" and I got a 404 message, but when
: I went back to the article that the comment was attached
: to, I realized that I had deleted it! It was one of Elfur's
: comments (sorry, E. :(), not mine which is what concerns
: me.

i'm curious what the url looked like.  could you reconstruct what you did
and post it?

: Do we need to have a confirmation *page* instead of
: just a dialogue box? I'm just thinking about malicious
: deletion of comments, and I guess anybody bent on
: deleting someone else's comment would just answer
: yes, but is there some way to prevent that from happening
: (deleting a comment by adding "delete" to the query string)?

well, since only the author of a comment or an admin should be able to
delete a comment, i just went ahead and put in that exact logic.  so, unless
you own the comment or have the appropriate level of access you shouldn't be
able to do this again.



mailto:jeff at members.evolt.org

More information about the thesite mailing list