[pmwiki-users] commenting to private pages

Patrick R. Michaud pmichaud at pobox.com
Tue Dec 19 16:33:33 CST 2006


On Tue, Dec 19, 2006 at 10:19:23PM +0000, Hans wrote:
> Tuesday, December 19, 2006, 9:50:52 PM, Patrick wrote:
> 
> > Phrased another way, when Fox has decided that it's
> > okay to post to a page regardless of permissions, it can just pass
> > 'ALWAYS' to the RetrieveAuthPage function instead of 'read' or 'edit'.
> 
> I had to read that sentence once more, and like to comment:
> I have taken the attitude with Fox, that it should not be able to
> decide when it is okay to post to a page, from any markup on a page or
> from some GET or POST string, but that decision is better left to an
> admin via configuration in local config files.

...and this is a difficult decision, and tough to explain to
newbie administrators.

> It was mentioned previously as a 'commenting' level.
> Perhaps better called a 'post' level:
> You are privileged to read and to post, but not to edit or anything
> else fancy.

FWIW, it looks like you're retracing the exact same steps that I 
had gone through with developing ?action=insert back in October,
except I was calling the new level 'insert' instead of 'post'.

It may also be worth noting that I think ?action=insert could
end up obsoleting much of this once I get it working.  (And the
fact that I haven't gotten it working yet is probably a good
indication of how difficult it is to get the security correct
for this type of action.)  

I recognize that people are impatient to get something working, 
but it's also important that it be done right.

Pm




More information about the pmwiki-users mailing list