Merge save_pane_state functions into one

bgarrels / textpattern

Automatically exported from code.google.com/p/textpattern

0 stars 0 forks source link

Merge save_pane_state functions into one #368

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

Instead of having those separate functions for each panel, we could calculate 
and use tokens. The toggle links are generated in PHP, so they could contain 
fraud preventing token of their own.

By using a token, you will no longer need back-offices, but just that one. This 
same code could then be re-used for any other async event apart from the 
super-advanced editors. Like for instance pageby, visible columns etc. could be 
synched the same way, having no PHP paths of their own.

Original issue reported on code.google.com by jukka.m.svahn on 24 Feb 2013 at 9:54

GoogleCodeExporter commented 9 years ago

Original comment by jukka.m.svahn on 24 Feb 2013 at 9:55

Changed title: Merge save_pane_state functions into one

GoogleCodeExporter commented 9 years ago

Closed by r5325

Original comment by jukka.m.svahn on 24 Feb 2013 at 11:05

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Is this issue stuck as open to anyone else? It shows as 'assigned' for me in 
the issue list.

Original comment by jukka.m.svahn on 25 Feb 2013 at 1:46

GoogleCodeExporter commented 9 years ago

It fixed itself when I sent the last comment. Could have been 
caching/sync/saving error somewhere.

Original comment by jukka.m.svahn on 25 Feb 2013 at 1:48

GoogleCodeExporter commented 9 years ago

Needs a substitute for the abandoned white-lists of valid pane names.

Original comment by r.wetzlmayr on 28 Feb 2013 at 3:20

Changed state: Assigned

GoogleCodeExporter commented 9 years ago

Which would really need reworking the whole session handling Textpattern has. 
There is nothing private to calculate tokens from. Nothing is secure, or secret.

System that is based on encrypted secret which requires the user session to be 
decrypted. Regenerated on each log in, reset on log outs.

Additionally each user needs timestamp information and actual semi-permanent 
unique identifier.

Original comment by jukka.m.svahn on 28 Feb 2013 at 3:34

GoogleCodeExporter commented 9 years ago

The notation "nothing is secret" applies to CSRF tokens too. This same secret 
value would allow securing and generating session IDs and other tokens where 
needed without having different DB columns for each.

This itself is quite bit of work and remodeling and requires that we adopt one 
of the encryption methods PHP can supply. Which one? If we do, will we also up 
the password hashing method from MD5?

Original comment by jukka.m.svahn on 28 Feb 2013 at 3:38