Re: [pmwiki-users] concerning GroupAttributes a potential security risk

Tue, 04 Nov 2008 03:01:05 -0800 

Hans,
 
Good point!  Sorry, I should have added this last part, which would make the 
problem clearer.  Basically, I have the entire set with 
$DefaultPasswords['attr'] = crypt('secret_password'); as you said, however, I 
want people to be able to create pages within a group where they can set their 
own attributes.  That's what complicated things.  So, I first set in 
Example.GroupAttributes all of them to @nopass, so people can set their own 
passwords just for that group.  What I didn't realize is that this 
automatically makes the Example.GroupAttributes page open to anyone, because 
its within the Example.GroupAttributes range...if that makes sense.  ;-)
 
Anyway, the only way that I could still allow people to set their own 
attributes within that group (via the Example.GroupAttributes) was to setup an 
autorestore (maybe to run every 15 seconds or so).  I have already installed 
autorestore for my wikisandbox page, so that's why I posted the other point 
before.
 
Do you think the idea of using autorestore for the Example.GroupAttributes is a 
good method of fixing the problem concerning the openness of 
Example.GroupAttributes, or do you (or anyone else) recommend a different 
approach?

Thanks,
 
Chris

________________________________

From: Hans [mailto:[EMAIL PROTECTED]
Sent: Tue 11/4/2008 11:51 AM
To: Swift, Chris
Cc: PmWiki Users
Subject: Re: [pmwiki-users] concerning GroupAttributes a potential security risk



Tuesday, November 4, 2008, 9:18:40 AM, Swift, Chris wrote:

> I'm using the www.pmwiki.org/wiki/Cookbook/AutoRestore
> <http://www.pmwiki.org/wiki/Cookbook/AutoRestore>  (autorestore)
> function, which will automatically restore my example.GroupAttributes
> page, the only issue with that is that someone in the system could
> potentially lock different groups for a few minutes until autorestore
> has made its way back into the system.  If anyone has a better
> suggestion, please let me know.

can you not just prevent meddling of page attributes by setting a
sitewide attr password in config.php?

$DefaultPasswords['attr'] = crypt('secret_password');

http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin


  ~Hans




_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users

Reply via email to