[pmwiki-users] PmWiki configuration via PmWiki

[Joachim Durchholz]

Patrick R. Michaud wrote:
> I posted my opinion on this in http://www.pmwiki.org/wiki/PITS/00394.

Ah - the security issue raised on that page is indeed something to consider.

I have a feeling that editing PHP on the configuration pages doesn't 
create any security problems above those already present. If some other 
site on the same server can edit pages, it can abuse the wiki already, 
and the ability to inject PHP code and have it executed doesn't give it 
any capabilities that doesn't have already (it doesn't gain read or 
write access above what it already has, and it also can execute scrips 
already, so there's no point in doing it through a PmWiki installation). 
That's just what occurred to me, I don't have the time to consider 
ramifications.

> The bottom line is that since we can't get rid of configuration in PHP,
> in general it's better to stick with PHP syntax except in those cases 
> where some configuration component needs to be managed by multiple
> authors/admins (e.g., blocklists, sidebars, and translations)

I'm not sure where to draw the line here. Is there *anything* that 
couldn't be managed by multiple admins?

Besides, I for one would really like to be able to edit the 
configuration through PmWiki. I do have ssh access and are reasonably 
fluent with it, but I have no xterm, and Unix text-mode editors tend to 
be rather inconvenient, so I constantly download configuration files, 
edit them, and upload them. Worse, one site is being co-administered, 
and there were several instances where configuration changes made by one 
were overwritten by the other.

Being able to do all configuration though PmWiki itself would get me the 
benefit of conflict management (once we get it to work though - I'll 
check wether my installation has the same safemode problem; good thing 
if it's that, since the only installation that has safe mode activated 
is the single-author one).

Regards,
Jo