Dan, Thanks for your response.
I don't have my site in front of me (nor have access to it), however, whenever I put that markup ?action=attr, then it brought me to the Group Attributes page, which means that if I put for example @lock, then it locks the entire group. That's where the problem is. Also, the website has the entire attributes locked down, so that's why I needed to set the GroupAttributes part. Thanks, Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Editor Sent: Tuesday, November 04, 2008 1:54 PM To: Hans Cc: Swift, Chris; PmWiki Users Subject: Re: [pmwiki-users] concerning GroupAttributes a potential security risk On Tue, Nov 4, 2008 at 6:29 AM, Hans <[EMAIL PROTECTED]> wrote: > Tuesday, November 4, 2008, 10:55:48 AM, Swift, Chris wrote: > >> Do you think the idea of using autorestore for the >> Example.GroupAttributes is a good method of fixing the problem >> concerning the openness of Example.GroupAttributes, or do you (or >> anyone else) recommend a different approach? > > Well it may prevent someone permanently locking the group. > But really one would want to lock the GroupAttributes page, so that > only the admin can change attributes of it. > I don't know how to do this. > I hope Patrick has an answer for this. Don't you just set the attributes for the attributes page itself. Just go to group.attr&action=attr or something like that. Then you can't change the attr for that group without knowing the password. It's been a while since I've done this so I may not recall the exact syntax properly, but I think this may be correct. I'm sure it's in the docs--how to set the attributes for a specific page. Cheers, Dan _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
