[pmwiki-devel] Require a password to edit RecentChanges (etc.) pages: regex problem

[Patrick R. Michaud]

On Tue, Dec 05, 2006 at 10:00:39AM +0000, Hans wrote:
> Tuesday, December 5, 2006, 7:02:39 AM, Simon wrote:
> > I've added the following to my config.php,
> > but I don't get the prompt for a password.
> > I suspect my regex is wrong, can anyone help please
> 
> > ## Require a password to edit RecentChanges (etc.) pages.
> > if ($action=='edit'
> >     &&
> > preg_match('/\\.(Search|(Main|Side)Bar|Group(Header|Footer|Attributes)|(All)?RecentChanges)$/',
> > $pagename))
> >   { $DefaultPasswords['edit'] = crypt('mysecretpassword!'); }
> 
> AFAIK there is no way you can set a password to individual pages from
> within a local customisation file, because password attributes reside
> in the page, or in the GroupAttributes page for group wide passwords.
> Any attempts to do so will still leave security holes, because the
> page can still be accessed in other ways.

In general this is indeed the correct and safest way to think about it.

But for clarity: the real issue is in trying to use $DefaultPasswords
to set 'read' passwords from within per-group or per-page
customization files.  This is because of things like (:include:)
where one page may attempt to incorporate another page's
"read protected" contents -- in such cases, the per-group or
per-page customization file isn't loaded at all.

Setting other site-wide passwords such as 'edit' is quite a bit
safer in a local customization file, since the only time those
passwords are used is when someone is doing ?action=edit on that
specific page.  Or, in other words, we don't normally allow a
page to be edited under another page's customizations.

Thanks,

Pm