[pmwiki-users] RSS Feed + Read Protected Groups
Patrick R. Michaud
pmichaud at pobox.com
Fri Jan 6 10:38:43 CST 2006
On Fri, Jan 06, 2006 at 10:16:41AM -0600, Tegan Dowling wrote:
> On 1/6/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Thu, Jan 05, 2006 at 04:16:04PM -0800, Richard A. Millard wrote:
>
> > I was also hoping to set up a RSS feed of the Group.RecentChanges
> page
> > I have that Group password set using
> Eberron.GroupAttributes?action=attr ,
> > but I can't figure out how to allow Group.RecentChange to produce a
> RSS
> > feed, and still protect the rest of the Group behind a login
> password.
> >
>
> $EnablePageListProtect = 0;
>
> If you want to keep $EnablePageListProtect=1; in your config.php, I
> believe you could create a local/Eberron.php file containing just
>
> <?php
> $EnablePageListProtect = 0;
>
> Anyone: Any problem with this?
Well, even if $EnablePageListProtect=0; in local/Eberron.php,
it's possible for someone to use that to see the existence of pages
in all groups. Essentially someone can then do:
.../pmwiki.php/Eberron/RecentChanges?action=rss&trail=Site.AllRecentChanges
to get a list of all pages, including password-protected ones.
Why? Well, specifying Eberron/RecentChanges causes the Eberron.php
to be loaded (thus turning off $EnablePageListProtect), and then
the ?action=rss command is told to read pages from Site.AllRecentChanges.
Almost all variables that have to do with read-protecting pages
must be set in the site-wide configuration file to be effective;
placing them in per-group configuration files means they can be
bypassed simply by referencing a page from a different group.
Pm
More information about the pmwiki-users
mailing list