[pmwiki-users] read password information leak
Patrick R. Michaud
pmichaud at pobox.com
Mon Mar 7 13:12:26 CST 2005
On Mon, Mar 07, 2005 at 01:57:36PM -0500, Neil Herber wrote:
> There is something fishy here.
>
> If I enter "/Main/HomePage?action=attr" I get a password request that has
> the background color of my skin.
>
> If I enter "/Main/HomePage?action=refcount" I get a password request that
> has a white background.
For ?action=attr, the password request is taking place after the
skin is loaded.
For ?action=refcount, the password request is taking place before
the skin is loaded -- i.e., at the time the farmconfig.php file is
being parsed.
As part of the password/authorization revamping I'm planning to
introduce an array that can associate access requirements with
actions, so it's probably worthwhile to just wait for that and
go with the $_SERVER['REMOTE_USER'] solution for now.
When I have per-action controls in place, the config will probably be
(variable name may change):
$ActionAccessLevel['refcount'] = 'admin';
Similarly, one will be able to do
$ActionAccessLevel['diff'] = 'edit';
to indicate that viewing of page history requires 'edit' permission,
as opposed to the $DiffAccessLevel variable that PmWiki v1 used.
Pm
More information about the pmwiki-users
mailing list