[Pmwiki-users] Re: Re: Edit password also used to read pages in PmWiki 2?

[chr@home.se]

On Fri, 19 Nov 2004, Patrick R. Michaud wrote:

> On Fri, Nov 19, 2004 at 02:48:53PM +0100, chr at home.se wrote:
> > So what happens if you go directly to a URI like
> > 	http://... ?action=edit
> > 
> > without having visited the site before? I assume you'll be asked for the
> > edit password?
> > 
> > And then when you've saved the page you're asked for the read password?
> 
> Yup.
> 
> Believe it or not, this isn't entirely as farfetched or unintuitive as
> it might sound.  There are situations in which being able to edit a page
> doesn't imply that you know the page's entire contents when it's displayed
> via ?action=browse -- consider (:include:) and its relatives.  Currently
> (:include:) will insert the contents of another page only if the user
> has previously entered any read passwords for that page, and included
> pages won't generate password prompts.  So, entering the read password
> for the page just edited might be an important step to enabling access
> to other pages or features it includes or references.

Hmm... interesting. But.. is there anything that prevents a person from 
adding (:include ...:) to e.g. the sandbox, thereby seeing what's in a 
page that's supposed to be read protected?

Or does pmwiki check for read passwords of pages that are included?

> That said, I might make this into a customization option of some sort,
> so that an administrator can set "edit implies read", "attr implies
> all" policies to be used by the passwording mechanism.

Sounds like a good solution to me, a cookbook page?

/Christian


-- 
Christian Ridderstr?m, +46-8-768 39 44               http://www.md.kth.se/~chr