The elgg documentation says this about action_gatekeeper():
"This function should be used in Actions in companion with the Forms system, and helps protect the action from certain forms of attack."
However, it looks like the elgg core actions *never* call it.
In fact, looking at bug #1538 in elgg, this call was deliberately removed from all core actions, with the comment “no need to validate token a 2nd time”.
In the plugins, a very small number of them call action_gatekeeper in the actions, but not very many.
So.... should my plugin actions call action_gatekeeper()?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Cash@costelloc
Cash - 0 likes
You must log in to post replies.Old documentation that needs to be updated. The action gatekeeper is automatically called for all actions now so no need to do this in your plugin's actions.