[pmwiki-users] How to disable some actions if user has no admin rights?

[Patrick R. Michaud]

On Tue, Mar 07, 2006 at 09:37:34AM -0500, Ted Nicolson wrote:
>    Is it possible to disable actions like rss, diff, atom etc, if user has no
>    logged in yet ?
>    [...]
>    I tried something like the the following in both skin.php and config.php
>    ... 
>     $page = RetrieveAuthPage($pagename, 'read', false, READPAGE_CURRENT);
>     if (! $page['=auth']['admin']) {
>        ##  Allow only essential site-related actions.
>        $Actions_allowed =  array('browse','print','search','login');
>        if (! in_array($action, $Actions_allowed)) { $action='browse'; }
>      }

This should've worked in config.php; it won't work in skin.php
unless a number of variables are declared global.  However, I
feel pretty strongly that changes to actions and security-related
features really belong in config.php and not skin.php .

Be sure the call to RetrieveAuthPage() occurs *after* setting
the values in $DefaultPasswords (and any calls to authuser.php, if
you're using that).

I would probably do:

    # make sure this is after $DefaultPasswords and/or authuser.php
    $pagename = ResolvePageName($pagename);
    $page = RetrieveAuthPage($pagename, 'read', false, READPAGE_CURRENT);
    if (!$page['=auth']['admin']) {
      $allowed = array('browse', 'print', 'search', 'login');
      if (!in_array($action, $allowed) { $action = 'browse'; }
    }

Pm