[pmwiki-users] Alternate authorization levels for $EnableDiag actions
Patrick R. Michaud
pmichaud at pobox.com
Thu Jul 5 10:36:05 CDT 2007
On Thu, Jun 28, 2007 at 01:52:44PM -0300, Guillermo Calderon - INCO wrote:
> H. Fox wrote:
> > I would like to enable the diagnostic actions, but only for
> > edit-authorized visitors to the site. I tried
> >
> > ## Enable remote diagnostics (?action=diag and ?action=phpinfo).
> > $EnableDiag = 1;
> > $HandleAuth['diag'] = 'edit';
> > $HandleAuth['phpinfo'] = 'edit';
> >
> > in a configuration file, but the diagnostic actions are still
> > available to a plain old read-authorized visitor. How can I achieve
> > the desired effect?
>
> I think the problem is in the file scripts/diag.php
>
> This file contains the following piece of code:
>
> if ($action=='diag') {
> @session_start();
> header('Content-type: text/plain');
> print_r($GLOBALS);
> exit();
> }
>
> There are no test for permissions there.
>
> You have to modify this file in order to fix this problem.
?action=diag doesn't go through the normal "HandleAuth" array
or authorization routines, because it's often the case that what
we're wanting to "diag" is the authorizaton itself, or we're
wanting to generate diagnostic output before PmWiki completes
its initialization. So, ?action=diag is handled directly in
diag.php.
To get ?action=diag to require edit permission, one currently
does it explicitly in local/config.php, with something like:
if ($action == 'diag' && !CondAuth($pagename, 'edit'))
$action = 'browse';
Pm
More information about the pmwiki-users
mailing list