[pmwiki-users] ZAPauth & PmWiki
The Editor
editor at fast.st
Mon Oct 16 15:49:47 CDT 2006
On 10/16/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Mon, Oct 16, 2006 at 02:10:29PM -0400, The Editor wrote:
> > As Pm is catching up on emails, thought I would repost this one that
> > has been perplexing me for awhile.
> >
> > On 10/15/06, The Editor <editor at fast.st> wrote:
> > > I'm trying to improve the permissions systems in ZAP a bit to make it
> > > tie in better with PmWiki.
> > > ...
> > > The question is, how do I access a given user's current auth level
> > > within a recipe such that I could say something like,
> > >
> > > SDV($ZAPauth[email], "admin");
> > > if( ~get users auth level~ == ZAPauth[email]) execute emailer()
>
> It's wrong to think of users as having "auth levels", at least as
> you imply it here.
>
> We can't ask a generic question such as "does the user have edit
> permission". We can only ask "does the user have permission to
> edit page XYZ". There's no such thing as general "read level",
> "edit level", or "upload level" associated with a user -- one can
> only speak of those permissions in reference to a particular
> page.
So you would write something like the following then:
SDV($ZAPauth[email], "admin");
if( ~user has $ZAPauth[email] /ie "admin"/ permission for current
page~ ) execute emailer()
Can you help fill in the code?
> > > Also, on a related note, how does PmWiki avoid forged headers with an
> > > upload form? ...
>
> What do you mean by "forged headers"? Or, put another way, PmWiki
> doesn't rely on headers for authorization.
I'm thinking about the basic security vulnerability I have with ZAP,
and wondering how you solved it for uploads (or edit forms for that
matter). Couldn't someone forge a form submission that has upname and
upfile, etc., and all the right fields, fire it off and automatically
upload a file to your server? Surely you somehow check the form
submission to ensure it genuinely came from a PmWiki page, and that
the submitter has permission to upload. I want something more like
this for ZAP as I'm not fully content the solution we came up with is
as secure as it should be.
And while I'm at it, I've discovered my solution for multiple zap
forms on a page was not a good one as it is storing scores of session
variables on the server and they aren't destroyed till the log out. I
need a better way to name them and destroy them. I have an
idea--thanks to Crisses... but, was wondering if I can I set a timer
(somehow) for how long specific session variables are store? Should I
store them separately from the PmWiki sessions (so I don't accidently
delete them). Or can I store them as an array, and then just delete
the whole array of ZAP sessions, etc.
Quite a pesky problem this form security thing.
Cheers,
Caveman
More information about the pmwiki-users
mailing list