[pmwiki-users] Fwd: ZAPauth & PmWiki

The Editor editor at fast.st
Sun Oct 15 16:29:47 CDT 2006


Posted this yesterday, but didn't get any takers.  Anyone  have thoughts?

Cheers,
Caveman


I'm trying to improve the permissions systems in ZAP a bit to make it
tie in better with PmWiki.  I want to give admins the ability to set
various features to various auth levels, so that emailing might only
be allowed to those with edit permission, file management only to
those with upload permissions, or reading data to those with read
permissions, etc.  Or whatever.

I suppose you could also define custom actions and tap into them.
Using AuthUser should also allow you to set groups, set things in
GroupAttributes, etc.  It would extend the flexibility of PmWiki to
ZAP very nicely.

The question is, how do I access a given user's current auth level
within a recipe such that I could say something like,

SDV($ZAPauth[email], "admin");
if( ~get users auth level~ == ZAPauth[email])  execute emailer()

Also, on a related note, how does PmWiki avoid forged headers with an
upload form?  I presume some sort of security checking is done to
prevent users from tapping into the session variables.  Is it not that
the submitters auth level, or perhaps some other PmWiki session
variable is checked (that is difficult to spoof)?  If so, it seems
this should perhaps be a default check for ZAP as well.  Right now I'm
checking some session info but not any from PmWiki.

Cheers,
Caveman




More information about the pmwiki-users mailing list