[pmwiki-users] New recipe: Fox

Hans design5 at softflow.co.uk
Mon Dec 18 02:56:01 CST 2006


Sunday, December 17, 2006, 7:46:31 PM, marc wrote:

>> Btw, I also see the 'delete' buttons when the user is not logged in.

> Just to add to the intrigue, I ran this on a mirror of the site running
> Linux and it was possible to post without logging in, but it was also
> possible to delete /all/ comments.

About being able to delete posts:
If you see a delete link, you can use it.

I am not trying to redefine PmWiki's security philosophy, which
takes the point of view, that a page is the smallest unit for security
protection. Parts of a page may be hidden for group's of users with
conditional markup for instance, but those hidden parts are not really
safely protected.

Now in the examples I have put up I am trying to hide the delete
buttons by using a conditional checked on the author name.
This conditional is not actually part of PmWiki's core set of
conditionals, so you need to define it in a local config file first:

# add conditional markup: (:if author AUTHORNAME:)
$Conditions['author'] = "\$GLOBALS['Author']==\$condparm";

I could perhaps include it in fox.php
And/or simplify my examples. Sorry for the omission!

To make delete buttons a little safer, it may be better to use
the following in a template:

(:if expr ( authid && author {author} ):){[foxdelrange]}(:if:)

But this will only create delete links for users who are logged in via
AuthUser, excluding guest visitors.

Or have a delete button only for admin use:

(:if auth admin:){[foxdelrange button]}(:if:)

Hope this clears some confusion!
Sorry I can't give any more ideas at present about your problems
saving pages. If you find out more please let me know!


Hans





More information about the pmwiki-users mailing list