[pmwiki-users] Alternate authorization levels for $EnableDiag

sti at pooq.com sti at pooq.com
Thu Jun 28 15:59:36 CDT 2007


Guillermo Calderon - INCO wrote:
> H. Fox wrote:
>> I would like to enable the diagnostic actions, but only for
>> edit-authorized visitors to the site.  I tried
>>
>>    ## Enable remote diagnostics (?action=diag and ?action=phpinfo).
>>    $EnableDiag = 1;
>>    $HandleAuth['diag'] = 'edit';
>>    $HandleAuth['phpinfo'] = 'edit';
>>
>> in a configuration file, but the diagnostic actions are still
>> available to a plain old read-authorized visitor.  How can I achieve
>> the desired effect?
>>
> 
> I think  the problem is in the file scripts/diag.php
> 
> This file contains the following piece of code:
> 
>    if ($action=='diag') {
>      @session_start();
>      header('Content-type: text/plain');
>      print_r($GLOBALS);
>      exit();
>    }
> 
> There are no test for permissions there.
> 
> You have to modify this file in order to fix this problem.
> 
Not true! You almost never have to modify PmWiki's code to achieve this sort
of thing. In this case, you want something more along the lines of:

if( $PCache[$pagename]["=auth"]["edit"] )
  { $EnableDiag = 1; }

Which just tests to see if you have edit rights for the current page before
turning on EnableDiag. (Note: I think this is right, but I haven't tested it.)





More information about the pmwiki-users mailing list