[Pmwiki-users] security problem -> edit password
Christian Ridderström
chr
Fri Jan 23 05:20:24 CST 2004
On Fri, 23 Jan 2004 lists at basel-inside.ch wrote:
> > Just the moment i found a mysterious thing.
>
> > Some of my pages i have secured with a password on read-level. This works so
> > far fine but if i add the param =edit directly to the uri then i can read
> > the contents of the secured page without being asked for a password.
> >
> > Is this a known problem?
> >
> > What can i do to workaround this?
>
> A read password doesn't imply a edit protection,
> you have to set an edit password as well.
Hmm... isn't this sort of wrong? Shouldn't a password for read be implied
if there's one for reading the page? And similarly, if there's a read
password, shouldn't there be one for modifying the attributes?
I guess this all depends on how much you care about security though.
Anyway, we should at least think about adding some text to the attribute
page that explains these issues (e.g. that edit will still be available
even if there's a read password etc)
/Christian
--
Dr. Christian Ridderstr?m, +46-8-768 39 44 http://www.md.kth.se/~chr
More information about the pmwiki-users
mailing list