ThomasP wrote: > On Mon, June 11, 2007 20:47, IchBin wrote: >> ThomasP wrote: >>> On Tue, June 5, 2007 20:02, IchBin wrote: >>>> IchBin wrote: >>>> >>>> Not sure if I mentioned this Thomas but as an 'admin' user there is no >>>> security problem posting a formatted item to the WikiCalendar using the >>>> (:wikilogbox:) markup. Guess this would rule out any non normalized >>>> page >>> This is indeed quite good to know!!! >>> >>>> url. The problem is only with a regular user even though they have a >>>> 'ed_Calendar.*' rule. I mean the format of the calendar days is >>>> 'Calendar.yyyymmdd'. >>>> >>> I have tested that 'Calendar.20071111' matches 'Calendar.*' with the UA2 >>> functions, so no problems from the pattern check to be expected. It >>> would >>> thus indeed be very interesting to know where the problem stems from. >>> >> ... >> 'Calendar.*' for rule 'ed_Calendar.*'. I think the rule is fine because >> if I do not use the (:wikilogbox:) markup to add or update a calendar >> date page I get no security error and works as designed.. >> >> Doing this with out the (:wikilogbox:) markup you do: >> >> - Select a day on the visible calendar on the >> 'Calendar/Calendar' page. This opens or creates a calendar date page. >> - Enter my text and save on that page and there is no problem. >> - After this it displays on the visual calendar and by using the >> (:thisweek:) markup. >> >> If I take that rule out of this group I can not do what I just mentioned >> above. So the rule is fine there is a one-to-one relationship by having >> or not having that rule. > > That is logical - so the rule itself and its interpretation by UA2 seems > not lacking. > >> Seems that the problem is the interaction between the (:wikilogbox:) and >> UserAuth2. >> > > Yes. To put a clear statement on this I would say: > > If the UA2 module indeed denies Calendar/20071111 or whatever on level > edit though ed_Calendar.* is specified in a respective user perm record, > then it is a UA2 problem and I will find the solution. (Could > theoretically happen as part of variable interference. Is improbably > though - I just had a look in the WikiCalendar code, and nothing looks > suspicious.) > > If however you get insufficient privileges with something else (for > example with a permission level that is not known to (not registered with) > UA2, much more probable from what I can see), then it is the > responsibility of WikiCalendar to make sure the right parameters are > delivered, or at least to set a default permission level mapping like > > HandleAuth['wikilog'] = ...; // whatever is useful, for example 'edit' > > [If you got a newer version of UA2, then activating the logging with > $HTMLFooterFmt[] (search for "PERM" in userauth2.php) will tell you what > exactly is blocked.] > > Thomas
Not to be missing anything I have this output _<below>_. I am not given authorization. - When trying to update with the markup for formated message to a calendar page: UA2ErrorLog: 'Access to Calendar/20070612 at level edit NOT granted. ' - Be interesting to find out what is supposed to be uploaded every screen refresh: UA2ErrorLog: 'Warning: Someone asking for permission for unknown level 'upload'. Refused. - Wondering if this is a problem with the period or just displaying a period at the end the sentence as part of the display message: UA2ErrorLog: 'Loading perm record for WET. ' - Is this wrong? I would figure this is a content page: UA2ErrorLog: 'Calendar/20070612 is a content page: no ' Here is what I captured and when: _____________________________________________________________________________________________ LOAD OF PMWIKI TO FIRST PAGE: _____________________________________________________________________________________________ UA2ErrorLog: 'Loading perm record for GuestUsers. ' UA2ErrorLog: 'Someone trying to access page Site.Login at level read. ' UA2ErrorLog: 'Site.Login is a content page: no ' UA2ErrorLog: 'Access to Site.Login at level read granted. ' _____________________________________________________________________________________________ AFTER LOGIN WITH 'WET' ACCOUNT NAME: _____________________________________________________________________________________________ UA2ErrorLog: 'Loading perm record for GuestUsers. ' UA2ErrorLog: 'Someone trying to access page Main.HomePage at level read. ' UA2ErrorLog: 'Main.HomePage is a content page: yes ' UA2ErrorLog: 'CheckUserPerms user WET page Main.HomePage level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Main.HomePage level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Main.HomePage level read... ' UA2ErrorLog: 'Access to Main.HomePage at level read granted. ' UA2ErrorLog: 'CheckUserPerms user WET page Main.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Main.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Main.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user WET page Main.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Main.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Main.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user WET page Site.SideBar level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Site.SideBar level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Site.SideBar level read... ' UA2ErrorLog: 'CheckUserPerms user WET page Main.HomePage level admin... ' UA2ErrorLog: 'CheckUserPerms user LoggedInUsers page Main.HomePage level admin... ' UA2ErrorLog: 'Loading perm record for WET. ' UA2ErrorLog: 'CheckUserPerms user admin page Main.HomePage level admin... ' UA2ErrorLog: 'CheckUserPerms user WET page Site.PageActions level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Site.PageActions level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Site.PageActions level read... ' UA2ErrorLog: 'Warning: Someone asking for permission for unknown level 'upload'. Refused. ' _____________________________________________________________________________________________ AFTER SELECTING THE CALENDAR LINK _____________________________________________________________________________________________ UA2ErrorLog: 'Loading perm record for GuestUsers. ' UA2ErrorLog: 'Someone trying to access page Calendar.Calendar at level read. ' UA2ErrorLog: 'Calendar.Calendar is a content page: yes ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar.Calendar level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Calendar.Calendar level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar.Calendar level read... ' UA2ErrorLog: 'Access to Calendar.Calendar at level read granted. ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Calendar.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar.GroupFooter level read... ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Calendar.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar.GroupHeader level read... ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar.Calendar level admin... ' UA2ErrorLog: 'CheckUserPerms user LoggedInUsers page Calendar.Calendar level admin... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar.Calendar level admin... ' UA2ErrorLog: 'Warning: Someone asking for permission for unknown level 'upload'. Refused. ' _____________________________________________________________________________________________ AFTER SUBMITTING FORMATED MESSAGE: _____________________________________________________________________________________________ UA2ErrorLog: 'Loading perm record for GuestUsers. ' UA2ErrorLog: 'Someone trying to access page Calendar/20070612 at level edit. ' UA2ErrorLog: 'Calendar/20070612 is a content page: no ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar/20070612 level edit... ' UA2ErrorLog: 'CheckUserPerms user GuestUsers page Calendar/20070612 level edit... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar/20070612 level edit... ' UA2ErrorLog: 'CheckUserPerms user LoggedInUsers page Calendar/20070612 level edit... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar/20070612 level edit... ' UA2ErrorLog: 'Access to Calendar/20070612 at level edit NOT granted. ' UA2ErrorLog: 'CheckUserPerms user WET page Calendar/20070612 level admin... ' UA2ErrorLog: 'CheckUserPerms user LoggedInUsers page Calendar/20070612 level admin... ' UA2ErrorLog: 'CheckUserPerms user admin page Calendar/20070612 level admin... ' UA2ErrorLog: 'Warning: Someone asking for permission for unknown level 'upload'. Refused. ' _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
