Jump to content

regarding SVN 4647 (BO: option to proceed when invalid token)


smiffy

Recommended Posts

First of all, I haven't understood the rationale for using a BO token -- I mean, the pathname to admin dir is unknown / obfuscated, so a would-be hacker would need to FIND the path, then guess the admin email address or go through a hella work to brute force entry into the BO. Second, as far as I know, no Prestashop admin config exists to permit toggling the 'token check' off...

...so, I was excited to see this SVN item, but it doesn't quite meet what I've been hoping to accomplish.

Here's the workflow scenario:
-- with multiple browser tabs/windows open, I'm logged into the Prestashop BO.
-- either while browsing the frontend, or arriving at a product page after clicking a link embedded in email (prospect or customer has sent you a question about product #whatever)...

...I would like to create bookmarklet which grabs the productID (value read from a DOM element) and launches a new browser window DIRECTLY to the relevant BO "Edit Product" page.

The token check makes this nearly impossible.

I'm confused to find this SVN patch only "clears the way" for INDEX.PHP -- landing at any other internal BO url still yields the "invalid security token" message. Yes, a link displaying the patched "Don't worry I understand the risk..." text is presented, but clicking the link has zero effect. Okay, not ZERO effect -- to be clear, the page reloads/refreshes... but the page content is absent, with the "Don't worry" link (again) presented instead of the desired content.

I've planned to just mod my copy of Prestashop to omit the BO token check. I'm writing to suggest that this feature should have a configurable toggle and to ask "What was the purpose of this SVN patch? What workflow does it support?"

I was writing to ask, but

The inboxes for the following members are currently full, and to 
send this message you must remove them from your
Recipients or CC fields: Damien Metzger


so I'm posting here instead

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...