[pmwiki-users] AuthUser

Sandy sandy at onebit.ca
Tue May 3 12:35:11 CDT 2011

Is this confirmed, both that one way has the hole and the other doesn't?

Near as I can tell, you're setting the same parameters either way, so 
I'd expect the results to be the same.

Or are there other things that should be done when changing those 
variables? If so, is there a function that can be called from config.php 
that will do all the housekeeping?

If it is possible to see and (:include:) file which you don't have 
access to, and access was set properly, then it's a bug.


On 5/2/2011 2:22 PM, Peter Bowers wrote:
> Randy pointed out (below) a serious security hole that I've been
> inadvertently leaving on my sites every since I started doing that
> config.php-only type of password-setting that I suggested above.  If I
> am viewing a group for which I have read permission I can then
> (:include:) a page for which I do *not* have read permission.

More information about the pmwiki-users mailing list