[pmwiki-users] ajax-like skins (was: new recipe ShowHide)
john.rankin at affinity.co.nz
Thu Mar 2 17:31:49 CST 2006
On Friday, 3 March 2006 11:58 AM, Robin Sheat <robin at kallisti.net.nz> wrote:
>On Friday 03 March 2006 11:48, John Rankin wrote:
>> How does AJAX address security? If I can read, but not edit, how
>> does it know whether "go here to edit the page" is an allowed
>> show/hide event in browse mode?
>Well, all the requests go via the server, it's simple enough for the
>server to say 'Not authorised', or open a password box or something.
>Robin <robin at kallisti.net.nz> JabberID:
><eythian at jabber.kallisti.net.nz>
(after a small earthquake...)
I like that "simple enough" -- so I haven't thought it through.
As I understand Jon's proposal, we browse a page, then we
click an edit link the browser does a 'hide' of the page and
'show' of the edit form. So far, this is through a pmwiki
?action=browse, and pmwiki's HandleBrowse doesn't know whether
the user is authorised to edit. So, pmwiki shows the reader an
edit screen on the same basis that ?action=source doesn't normally
require an edit password, but if the reader presses Save or
Preview, this invokes a HandleEdit and the reader gets prompted
for an edit password as normal, if necessary.
So we just need to refine the definition of $HandleBrowseFmt.
Got it. As long as we don't mind showing an edit screen to a
person who may not have edit access rights, "it just works".
A reader can see an edit screen, but not save any edits without
a password. And I guess it's "simple enough" to make HandleBrowse
smarter and prevent access to the show edit screen toggle.
Thanks for that.
More information about the pmwiki-users