Hi,

I use ctools ajax a lot of the time using the nid as the argument to determine what content is pulled.

I was wondering if someone could potentially change the nids to ones of their choice in hopes of finding private information, or if there was something that made sure that

I tried it with Firebug and it makes a page reload, so that it goes to the node page itself rather than using ajax, which is great because I have proper security in place in those cases. But, I know that hackers a a lot more clever than I am, and I don't want to implement security checks all over if it's already taken care of.

Thanks!
Tiuya

Comments

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Fixed

Yes, the URL can be changed. This isn't really an AJAX issue, this is a general website security issue. If you have private info in a node, there needs to be something on that node keeping it private, or it will be retrievable. You can go to your website and type http://www.example.com/node/1757 and if that node is publicly accessible, you can get its data.

Likewise, if you've got a custom menu item that looks up by nid and returns some kind of data that is not normally displayed on the node, it is the responsibility of the code accepting that nid to validate that the user has access to that data before returning it.

The rule of website security is: No data input from the browser is safe. Everything must be checked.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.