[pmwiki-users] commenting to private pages

Hans design5 at softflow.co.uk
Tue Dec 19 16:19:23 CST 2006


Tuesday, December 19, 2006, 9:50:52 PM, Patrick wrote:

> Phrased another way, when Fox has decided that it's
> okay to post to a page regardless of permissions, it can just pass
> 'ALWAYS' to the RetrieveAuthPage function instead of 'read' or 'edit'.

I had to read that sentence once more, and like to comment:
I have taken the attitude with Fox, that it should not be able to
decide when it is okay to post to a page, from any markup on a page or
from some GET or POST string, but that decision is better left to an
admin via configuration in local config files.

Maybe I am a bit too paranoid to open some  security hole.

I think ideally I like a variable like $FoxAuth being part of page
attributes: Set Fox Auth level: [.....]
and a user with 'attr' access privilege can set these.

Perhaps that can be done already.
But probably should not be a part of fox.php?

It was mentioned previously as a 'commenting' level.
Perhaps better called a 'post' level:
You are privileged to read and to post, but not to edit or anything
else fancy.


Hans





More information about the pmwiki-users mailing list