[pmwiki-users] How to protect an action ?
H. Fox
haganfox at users.sourceforge.net
Tue Jan 17 12:24:14 CST 2006
On 1/17/06, Roman <romat2 at gmail.com> wrote:
> I protect it this way (in config.php):
>
> if ($action=='diff') $action='browse';
>
> (and similarily for other protected actions)
Are you sure you caught them all? One way to be sure is to deny any
actions you don't explicitly allow.
$page = RetrieveAuthPage($pagename, 'read', false, READPAGE_CURRENT);
if (! $page['=auth']['edit']) {
## Allow only essential site-related actions.
$Actions_allowed =
array('browse','print','search','edit','login', 'rss', 'atom');
if (! in_array($action, $Actions_allowed)) { $action='browse'; }
}
You can also do
(:if auth edit:)
[...the history link...]
(:if)
so there won't be a tempting (broken) History link to follow.
Hagan
More information about the pmwiki-users
mailing list