[pmwiki-users] Alternate authorization levels for $EnableDiag
sti at pooq.com
sti at pooq.com
Thu Jun 28 15:59:36 CDT 2007
Guillermo Calderon - INCO wrote:
> H. Fox wrote:
>> I would like to enable the diagnostic actions, but only for
>> edit-authorized visitors to the site. I tried
>>
>> ## Enable remote diagnostics (?action=diag and ?action=phpinfo).
>> $EnableDiag = 1;
>> $HandleAuth['diag'] = 'edit';
>> $HandleAuth['phpinfo'] = 'edit';
>>
>> in a configuration file, but the diagnostic actions are still
>> available to a plain old read-authorized visitor. How can I achieve
>> the desired effect?
>>
>
> I think the problem is in the file scripts/diag.php
>
> This file contains the following piece of code:
>
> if ($action=='diag') {
> @session_start();
> header('Content-type: text/plain');
> print_r($GLOBALS);
> exit();
> }
>
> There are no test for permissions there.
>
> You have to modify this file in order to fix this problem.
>
Not true! You almost never have to modify PmWiki's code to achieve this sort
of thing. In this case, you want something more along the lines of:
if( $PCache[$pagename]["=auth"]["edit"] )
{ $EnableDiag = 1; }
Which just tests to see if you have edit rights for the current page before
turning on EnableDiag. (Note: I think this is right, but I haven't tested it.)
More information about the pmwiki-users
mailing list