[pmwiki-users] [pmwiki-devel] check authorization requirements for a given page

DaveG pmwiki at solidgone.com
Thu Oct 1 15:58:55 CDT 2009


<<back on list>>

On 10/1/2009 4:25 PM, Frank Schweickert wrote:
>
>> In order to check for edit access to a page use RetrieveAuthPage():
>> RetrieveAuthPage($pagename, 'edit', true, 0)
> Yes, but this test would enable a malicious <script> on a not-password
> protected page for authorized editors, wouldn' it? (no good!)
> I wanted to make sure that <script> tags are ignored on any page that
> does not require any password,
> i.e. that has no password set along the "authcascade" (I found that word
> somewhere...),
> but that <script> is honoured for any even anonymous user on a page that
> has some edit password set (to make sure it is a good script)
So you want to:
# ignore <script> tags on non-password protected pages
# honor <script> tags for all pages with edit password set

As you point out the problem with the RetrieveAuthPage approach is that 
for non-password protected pages everyone has edit access. Then in that 
case I think you'd need to check the password page attribute (refer to 
the answers on my post earlier today "Setting page privs from 
config.php"). You can do that by using code similar to what Hans suggested:

    $page = RetrieveAuthPage($pagename, 'read', true);
    if (!$page) echo "?cannot read $pagename";
    if ($page['passwdedit']) { DEFINE MARKUP }
    else { BLANK OUT THE MARKUP }


  ~ ~ Dave



More information about the pmwiki-users mailing list