On Mon, May 2, 2011 at 6:53 PM, Peter Bowers <[email protected]> wrote: > Just for another perspective I find that in situations like this I > tend to be "FTP-administrator-oriented" and make changes like this in > my config.php rather than doing them in the > GroupAttributes?action=attr section. I just find it hard to remember > when I've got a complicated setup with config spread across multiple > locations and it's easier for me when it's all in one place. So I end > up with something like this: > > ## Get the group and page name > $pagename = ResolvePageName($pagename); > #$page = PageVar($pagename, '$FullName'); // not needed for this example > $group = PageVar($pagename, '$Group'); > #$name = PageVar($pagename, '$Name'); // not needed for this example > ... > $DefaultPasswords['edit'] = array('@editors'); // note the array(...) > if (inlist($group, array('GroupA', 'GroupB', 'GroupC'))) > $DefaultPasswords['edit'][] = '@friends';
Randy pointed out (below) a serious security hole that I've been inadvertently leaving on my sites every since I started doing that config.php-only type of password-setting that I suggested above. If I am viewing a group for which I have read permission I can then (:include:) a page for which I do *not* have read permission. Please do *not* use my suggestion for setting just $DefaultPasswords in config.php. It is not just that it is "not preferable" as I thought but simply wrong. -Peter On Mon, May 2, 2011 at 7:49 PM, Randy Brown <[email protected]> wrote: > If I understand your configuration method correctly, it may have a security > hole. You may want to fix the hole. > After you've done that, we should update your suggestion on the mailing list > with an explanation of the hole. > > The problem is that when you set $DefaultPasswords based on the group of a > specific page, that authorization > becomes the default authorization not just for the specific page you intended > but for all pages that use the > site-wide default. ... > It would be nice if there were a way to set default permissions in config.php > with the outcome that you intended, > but I know of no mechanism. _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
