[pmwiki-users] self-registering for notification emails
Tegan Dowling
tmdowling at gmail.com
Mon Jun 5 09:43:43 CDT 2006
On 6/5/06, Neil Herber <nospam at eton.ca> wrote:
> At 2006-06-05 09:11 AM -0500, Ben Wilson is rumored to have said:
> >For what it's worth, I am beginning to take a different approach to
> >the same thing. When you use (:if:) conditionals to conceal text,
> >remember that if a user can ?action=source, then the concealed text is
> >available.
>
> Hi Ben
>
> I am not sure that you have to be quite this cautious. Action
> "source" requires "edit" permission (at least it does on my wikis).
> One potential security leak is action "diff" which will expose edits
> to anyone with read access. The way around that is to recreate the
> page without history after an edit.
I don't believe that all wikis do have ?action=source set to require
edit rights. While you're at it, adding that, you could also set
?action=diff to require edit rights.
More information about the pmwiki-users
mailing list