[pmwiki-users] Recent pmwiki versions may have broken the PublishPDF plug-in

John Rankin john.rankin at affinity.co.nz
Tue Apr 14 21:29:24 CDT 2009


I am wondering whether changes to pmwiki security introduced in 
beta 67 (or possibly a later change) may have broken the PublishPDF 
library's ability to request a PDF of a password-protected page. 
While I am still investigating the issue, I thought it best to seek 
an informed opinion early, as this is potentially a serious problem 
with the recipe, needing an urgent fix.

The problem as reported occurs when an authenticated user calls for 
a PDF of a password-protected page. The problem occurs both for 
password access (standard pmwiki security) and username/password 
(via authuser) access. The PDF comes back with "Password required" 
instead of the page's contents. This has worked with no problems 
for several years.

For unprotected pages, everything works fine. 

For password-protected pages:

- the reader requests a PDF, which causes the wiki to pass the 
  PHPSESSID as a hidden form variable to the PDF server

- the PDF server issues a request to the wiki for the page's content,
  including the PHPSESSID in the URL (via a header cookie), along
  with the other parameters

- the wiki server refuses access and prompts for a password, instead
  of returning the page content

- when the reader attempts to return to the page from the wiki's
 "request PDF" screen, the wiki asks for a password, even though the
  reader is already authenticated; if the reader returns to the page
  without submitting a PDF request, it's fine

For authuser protected sites, it uses IP-based authentication. Code 
in local/config.php inspects the IP address of the incoming request 
($_SERVER['REMOTE_ADDR']) and if it matches that of the PDF server, 
it sets $_POST['authid'] and $_POST['authpw'] to valid values. This 
also no longer works on the site in question.

I will keep investigating this, but it would be useful to have an 
informed opinion that "pmwiki [should still/will no longer] support 
these solutions." The site in question is running pmwiki 2.2.1 plus 
the latest PublishPDF library. There is a test wiki with no other
local customisations. AFAIK, I haven't changed the recipe's security 
handler. The fact that both access methods broke makes me wonder if 
it could be a pmwiki change, and if so, what I need to do to fix it.
I have asked the user to revert to beta 66 to see if the problem 
goes away.

TIA
-- 
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
021 RANKIN
john.rankin at affinity.co.nz
www.affinity.co.nz





More information about the pmwiki-users mailing list