News:

Support the VirtueMart project and become a member

Main Menu

JRequest::checkToken() in model

Started by Nerijus, March 26, 2013, 09:40:26 AM

Previous topic - Next topic

Nerijus

Hi,

Do we really need "JRequest::checkToken() or jexit( 'Invalid Token' );" in each model function (like store, move, saveorder)?
Token checking is already done in controller.
Also having token check in ex. store method forbids model reuse on product importing from 3rd party services.

Milbo

No, does not forbid it, you can create a token.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Nerijus

But I have to create it and set in request. that means I can accidently create and set token for actions I was not inteded to or otherwise deny it (for examle if I create any thing in plugin on system event)

Milbo

But this is exactly what we want. You are forced to write more secure.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/