[pmwiki-users] ZAPauth & PmWiki

The Editor editor at fast.st
Tue Oct 17 11:46:12 CDT 2006

Thanks again for the extra help.  A couple further questions...

On 10/17/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Tue, Oct 17, 2006 at 06:06:02AM -0400, The Editor wrote:
> > Part 1: Restricting ZAP
> > ...
> A function being called via HandleActions has to have the form:
>     function ZAPengine($pagename, $auth='zap') { ... }

Is this also required if using

if(CondAuth($pagename, $ZAPauth[forms])) {

I already have pagename and the ZAPauth array available as globals.
I've decided to try and make it work with ZAPauth instead, as it gives
much more flexibility of permissions, and should speed processing

> > Part 2: Customizing ZAP
> >
> > My next goal was to connect certain ZAP features to different auth
> > levels, but make these configurable, so you could allow more risky
> > behavior in certain single group/page (form) situations.  Here are the
> > suggested default settings:
> > ...
> > Anyway, does the code above look right?
> I can't really tell from what's presented here.

Here's a bit bigger code snippet to see if I have the idea right.
Ideally, a form submitter with just read permissions can login, but
they could not email or delete pages unless they have admin

SDV($ZAPauth[login], "read");
SDV($ZAPauth[admin], "admin");

$HandleActions['zap'] = 'ZAPengine';
function ZAPengine($ZAPflag=0, $pagename, $auth='zap') {
	global ...
	foreach ($_POST as $field => $value) {

if(CondAuth($pagename, $ZAPauth[login])) {
		if ($field == "login")	... continue;
		if ($field == "required") ... continue;
} // ends login fields

if(CondAuth($pagename, $ZAPauth[admin])) {
		if ($field == "email") ... continue;
		if ($field == "deletepages") ... continue;
} // ends admin fields

... end of engine code

> > Part 4. Authenticating ZAP Forms
> You've stopped one level short.  The random number shouldn't be
> sufficient to allow posting any form value -- it should only be
> sufficient to post to the exact data pages that were authorized
> for that number when the form was sent.

Ah!  Brilliant idea. That's the answer! But as ZAP has the power to
store stuff on multiple pages in one form, and do much more than just
save data..., I think I will have to take it even one step further.  I
will store a "lock" value which will allow the admin to delineate
which fields can be submitted, and where specified, even the values.
That will be perfect!  Now to work out the code...

One question right off--I'm not sure how to set a session variable as
an array, perhaps something like, assuming $x is the random number:

	$_SESSION[ZAPlock][$x] = "whatever the lock value is...";

This way I can destroy all the ZAPlock values by:


Is this correct?  And thanks again Pm!  I'm getting re-excited about
this.  It seems the solution to a couple ZAP issues are finally within


More information about the pmwiki-users mailing list