[pmwiki-users] what actions does HandleAuth control?

Patrick R. Michaud pmichaud at pobox.com
Tue Aug 29 09:59:45 CDT 2006

On Tue, Aug 29, 2006 at 06:52:34AM -0700, Tony Colley wrote:
>    In my local/config.php I have the following lines:
>    ## Keep non-editors from doing most actions
>    $HandleAuth['diff'] = 'edit';
>    $HandleAuth['source'] = 'edit';
>    $HandleAuth['phpinfo'] = 'edit';
>    $HandleAuth['diag'] = 'edit';
>    $HandleAuth['ruleset'] = 'edit';
>    Only the diff and source actions seem to be affected, that is, I can still
>    do the phpinfo, diag, and ruleset actions even though not "logged in".
>    Attempting diff and source actions gives me a login page as expected.
>    I would like to have the diagnostic tools available, but only to editors.
>    Is there another way to do this... or can $HandleAuth be extended to the
>    diagnostic actions?

Not easily -- authorizations are really tied to pages as opposed to the
site as a whole, and phpinfo, diag, and ruleset are really "independent"
of pages.  Plus, if we tie it to the edit action, it means that the
edit action on any page gives access to the diagnostic.

Also, in many ways we don't want to tie ?action=diag into the
authorization systems because often it's the authorization systems 
that we're trying to diagnose!  :-)

Still, it's possible to do what you want -- try enabling the
diagnostics only if the person has edit privileges:

    $EnableDiag = CondAuth('Main.HomePage', 'edit');

A nice bonus of this approach is that the diagnostic routines
in scripts/diag.php get loaded only if the person has edit
privileges.  :-)

Of course, you can substitute any other page for Main.HomePage
in the above, or even tie it to the current page:

    $pagename = ResolvePageName($pagename);
    $EnableDiag = CondAuth($pagename, 'edit');


More information about the pmwiki-users mailing list