That's worth being aware of - thanks. (In my case the whole site is protected by an edit password, so I guess that's not an issue at the moment.)
James On 1 July 2015 at 00:27, Randy Brown <[email protected]> wrote: > Beware: An edit password will not protect everything on a readable page > that is hidden by (:if false:). This is because an unauthorized user can > use (:include:) on another page with the lines= option to circumvent your > conditional. > > If you need something to be well protected, put it on a separate read > protected page. If you need to see it sometimes on an unprotected page > depending on a conditional, you can include it from the protected page - > it will only be visible to users who can read both pages. > > Randy > > On 2015-06-28 22:53, JamesM wrote: > > I've been using pmwiki for a few years, and have only just discovered > > the > > &action=source thing. > > Unfortunately, this shows the entire source, including things written > > after > > (:if false:), which I use for hiding information (it's on a lecture > > course > > website, and I have some stuff hidden from student view). > > > > So, how can I disable &action=source? > > Or better, password protect it. > > > > I tried putting > > $DefaultPasswords['source']=' .... '; > > into config.php. This works for ['admin'] and ['edit'] but seems to > > make > > no difference for ['source']. > > _______________________________________________ > pmwiki-users mailing list > [email protected] > http://www.pmichaud.com/mailman/listinfo/pmwiki-users >
_______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
