True, good point. I think the best way to do this is to change
functions.php to check to allow either info or write auth for this
function. Like this (with messaging thrown in), line 209
if (BOLTauth($target, $BOLTid, 'info') === false &&
BOLTauth($target, $BOLTid, 'write') === false) {
if ($args['msg'] == 'true') BOLTmsg('func_info_auth',
"Unable to
write info var to $target.");
return 'oops';
}
Notice in either case, they must also have view access to function... Line 196.
I did find a big bug in the BOLTauth function however in testing this.
It seems if no line can be found that matches, you can get a false
positive. On most pages I have a default *: @somegroup, but not on the
info page...
There are two ways to fix this. I think we should use both to be
doubly safe. Namely in engine.php right around line 345 I added the
line before and modified the line after:
if ($auth[$checkline] == '') return false;
// Determine if id has permission on that line
$f = explode(',', trim($find,','));
Obviously, this is a pretty important patch. A temporary work around
is to set some default value for *: in site.auth.info, or a series of
auth lines copied from the site.auth.write page as you suggest.
Cheers,
Dan
On Mon, Oct 12, 2009 at 7:37 AM, Hans <[email protected]> wrote:
>
> by default site.auth.info says
> info*: @guest
>
> meaning anyone can write info values to pages info and below.
>
> But a member can write to any pages except code, site, template etc.
> Should not a member be allowed to write info values similarly to all
> pages she is allowed to write?
>
> So site.auth.info should be something like this:
>
> info*: @guest
> *: @member
> action*: @editor
> code*: @editor
> group*: @editor
> group.admin: @admin
> login*: @editor,@key_register
> site*: @editor
> site.auth*: @admin
> template*: @editor
>
>
> ~Hans
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
