Wednesday, April 18, 2007, 1:59:05 PM, The wrote: > I have not studied the Fox security system in any degree, but if Hans > is only relying on POST values to give users access to page editing > functions, I'd say it is at the very least a potential security risk. > I have mentioned this to Hans and even offered code to help with it, > but it has not been used to my knowledge.
Since you mention Fox and calling it at the very least a potential security risk: please substantiate this claim. I don't know what you mean with "give users access to page editing functions". But I know that with Fox it is possible to post content into pages, and also to delete posted sections if delete links are part of the template. You cannot delete pages, and you cannot overwrite content in pages. And Fox has so far no page edit function. Plus the scope of pages or groups fox can post is by default very restricted and can be set to any kind of more or less restrictive pattern. Plus the general authorisation level for posting can be choosen by the admin, for instance to allow only posting if you got page edit rights. I have not made claims about ZAP security. Nor could I. Hope this helps for clarification. ~Hans _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
