Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Honza M. <hon...@ec...> - 2003-01-12 20:48:57
|
On Ne, 2003-01-12 at 02:08, Mitra wrote: > The biggest change is that _#EDITITEM should now work in most cases > outside of the admin interface, with the user being prompted for a > userid/password and then returned back to where they came from. It's nice. Thanks Mitra. Just one note: It's not secure to add AA_CP_Session to urls outside of AA Admin interface (like in FAQ). If there is any link to any other webpage (in FAQ), it is possible to get your session id (AA_CP_Session) from 'Referer' field. With this id (or url) you are able to access AA admin pages without login (for 3 hours, when session id expires). I would probably prefer to create the link without the session id (with f_e) as default (so users have to log in on every item edit) and then maybe create optional f_e for those admins, who knows about this problem and don't care. At least we have to mention it in the FAQ. What you think? Honza > - Mitra > > > > 01/12/02 - changed site module to go to prior sibling when deleting > rather than parent > 01/12/02 - added default $item=null to new_unalias_recurent to allow > calling from site module without warnings > 01/12/02 - fixed adding AA_CP_Session to url in site module AAPage > where it is already there. > 01/12/02 - changes to allow _#EDITITEM to be used outside of admin interface > 01/12/02 - combined several ways of redirecting to a URL into common > function go_return_or_url |
