I should have emailed this, but the updated solution I have so far is
to limit edit access to the group WikiSh to administrators, and limit
view access to editors. I added this in my config.php (near the end):
#wikish
include_once("$FarmD/cookbook/toolbox.php");
include_once("$FarmD/cookbook/WikiSh.php");
if ($group == 'WikiSh' && CondAuth($pagename,'admin'))
include_once("$FarmD/cookbook/WikiShCL.php");
include_once("$FarmD/cookbook/SecLayer.php"); // note this includes
stdconfig.php
$EnableWikiShWritePage = true;
$EnableWikiShCreatePage = true;
$EnableWikiShOverwritePage = true;
$EnableWikiShRemove = true;
if ($group=='WikiSh'){
if ($pagename=='WikiSh.Rename'){
if(CondAuth($_GET["OldPage"], 'edit') &&
CondAuth($_GET["NewPage"], 'edit')){
slAddAuth($wshAuthPage, "*.*",
"read,create,insert,overwrite,append,prepend,attr,delete");
}
else{
slAddAuth($wshAuthPage, "*.*", "read");
}
}
else{
slAddAuth($wshAuthPage, "*.*",
"read,create,insert,overwrite,append,prepend,attr,delete");
}
}
else{
slAddAuth($wshAuthPage, "*.*", "read");
}
# cookbook/powertools.php is *very* helpful in the wikish environment
but is optional.
# If you decide to install it you will need to go that page and
download it and install
# it as follows:
include_once("$FarmD/cookbook/powertools.php");
#end wikish
This is all to avoid renaming links if someone is not authorized to
edit either the old page or the new page. Only admins have permission
to edit anything in the WikiSh group, but editors are allowed to view
pages in the WikiSh group (thus being able to make use of the scripts
provided for them.) So essentially, only admins are allowed to create
WikiSh scripts, but editors are allowed to use them by viewing the
pages they create.
Alex
PS: I will consider putting this on the cookbook examples page as it
took quite a bit of work get working, however it seems oddly specific
a particular set of needs.
On Jul 27, 2012, at 6:52 PM, Peter Bowers wrote:
On Wed, Jul 25, 2012 at 12:32 AM, Alex Eftimiades
<[email protected]> wrote:
if (CondAuth($pagename, "admin")) {
slAddAuth($wshAuthPage, "*.*",
"read,create,insert,overwrite,append,prepend,attr,delete");
$EnableWikiShDeletePage = true;
$EnableWikiShChmod = true;
...
I tried modifying the CondAuth line with an "or $group=='WikiSh'" for
starters, but that did not seem to make a difference. I am quite
confused as
to how to go about doing this.
You wouldn't want to give this much permission to anybody accessing
any page in the WikiSh group unless you have a very (!) trusted group
of editors. Some malicious person could, for instance, go to
WikiSh.ControlPanel and execute a command like "rm *.*", thus deleting
your entire wiki. Of course you could go in behind the scenes and
undelete them, but it would probably be a Very Bad Day... WikiSh is a
sharp tool which has the potential to cut the user if you're not very
careful...
However, as long as you make sure only very trusted individuals have
edit capability on the WikiSh.Rename page (like if it is locked to the
admin password) then you could give the permissions needed just when
someone was doing the (pre-approved, unchangeable) script on that
page:
if (CondAuth($pagename, "admin") || (CondAuth($pagename, "edit") &&
$pagename == 'WikiSh.Rename')) {
(Note that if your $pagename has not been resolved yet then it could
look like WikiSh/Rename or something (note the slash instead of the
period), but resolving $pagename (ResolvePageName) sets some cache
values which should probably be done very close to the end of the
config.php. Note Petko's advice in
http://www.pmichaud.com/pipermail/pmwiki-devel/2009-April/001613.html.
It's documented somewhere else in more detail, but this is the link I
found first and it should suffice)
You've done a nice job of implementing the rename form. Feel free to
document your solution in the WikiShExamples if you like.
Do be aware that if someone has set a per-page or per-group password
somewhere such that the current user does not have edit permissions
then WikiSh will *not* do the text substitution to fix the links on
that page. WikiSh *always* honors pmwiki authorizations according to
the level of the current user. [1] I'm assuming in your case most
people are using a single edit password and so that doesn't cause
problems, but I just mention it to be clear...
-Peter
[1] You can override this, but it's been made difficult to do
intentionally because you should almost never do this.
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
