On 5/4/07, Hans <[EMAIL PROTECTED]> wrote: > Friday, May 4, 2007, 8:08:04 PM, Patrick R. Michaud wrote: > > > For the approach I'm using, the admin (or recipe) defines not > > only pattern pages, but also the forms and other requirements > > before posting. > > > Effectively, the page-pattern array will say "if a page name fits > > this pattern, then *this* is the string check pattern to assume > > is on that page." > > > So, if I were using Fox's markup, it would have entries like: > > > 'Site.*' => '', # disallow updates to Site.* > > 'PmWiki.*' => '', # disallow updates to PmWiki.* > > '*-Talk' => ':foxappend', # we can append to *-Talk > > '/PITS.\\d+/' => ":fox 'formname'" # we can update PITS.\\d with > > formname > > Hmm, is this perhaps not going too far? At least for what Fox can do > at the moment? Fox will either append or prepend posted content, so > specifying which does not make much difference. And ":fox 'formname'" > as a way of specifying a specific fox form is not really secure, as > one could use any name for formname. > > Also it does not provide a way to post to existing or new pages which > have no string check pattern. I think for anything like a forum or a > blog which creates all the time automatically new pages we need to use > no string check pattern for target pages. How would you allow for > these? > > That's why I did not want to mix string check patterns with pagename > patterns.
Just to compare, ZAP now can lock down all page writing except where explicitly allowed on a config page (and likewise all commands except where enabled). There's no allowed targets if the system is engaged, and allowed pages are only allowed for specific target pages from specific form pages. Site pages are especially blocked, requiring also a config variable. Here's the syntax you would use in ZAP: Snippets_Forum: Forum (only this page can post to this group) Snippets_Log: Log.2007-* (only this page can post to pages matching this) Snippets_Test: Snippets.Test (only this page can only post to itself) Snippets: Demo (any page in this group can post to any page in the other group) And again, you still could not write to a page unless a write type command was enabled. Also on a closed edit system, you could skip creating these config pages, and you would have full ZAP power everywhere with no extra admin trouble. Seems to be working cool... Cheers, Dan _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
