[pmwiki-users] PmWiki configuration via PmWiki
jo at durchholz.org
Thu Apr 21 03:07:42 CDT 2005
Patrick R. Michaud wrote:
> I posted my opinion on this in http://www.pmwiki.org/wiki/PITS/00394.
Ah - the security issue raised on that page is indeed something to consider.
I have a feeling that editing PHP on the configuration pages doesn't
create any security problems above those already present. If some other
site on the same server can edit pages, it can abuse the wiki already,
and the ability to inject PHP code and have it executed doesn't give it
any capabilities that doesn't have already (it doesn't gain read or
write access above what it already has, and it also can execute scrips
already, so there's no point in doing it through a PmWiki installation).
That's just what occurred to me, I don't have the time to consider
> The bottom line is that since we can't get rid of configuration in PHP,
> in general it's better to stick with PHP syntax except in those cases
> where some configuration component needs to be managed by multiple
> authors/admins (e.g., blocklists, sidebars, and translations)
I'm not sure where to draw the line here. Is there *anything* that
couldn't be managed by multiple admins?
Besides, I for one would really like to be able to edit the
configuration through PmWiki. I do have ssh access and are reasonably
fluent with it, but I have no xterm, and Unix text-mode editors tend to
be rather inconvenient, so I constantly download configuration files,
edit them, and upload them. Worse, one site is being co-administered,
and there were several instances where configuration changes made by one
were overwritten by the other.
Being able to do all configuration though PmWiki itself would get me the
benefit of conflict management (once we get it to work though - I'll
check wether my installation has the same safemode problem; good thing
if it's that, since the only installation that has safe mode activated
is the single-author one).
More information about the pmwiki-users