[pmwiki-users] delete GroupAttributes

Patrick R. Michaud pmichaud at pobox.com
Thu Jun 15 09:21:58 CDT 2006


On Wed, Jun 14, 2006 at 12:04:26AM +0200, Clemens Gruber wrote:
> Hello,
> 
> is this a security hole or a missconfiguration on my side: I've set in 
> local/config.php
> [...]
> In this case I can't execute Main.GroupAttributes?action=attr as user 
> "account1" - there are no rights set before - thats ok. But I can edit 
> the page Main.GroupAttributes?action=edit and can delete this page by 
> typing "delete" in the textarea?? Now all settings made in 
> Main.GroupAttributes are reset. Any idea?

It's a known bug -- http://www.pmwiki.org/wiki/PITS/00238 .
I'm still not entirely certain how I want to fix that.

On the other hand, you're the first person to ever stumble 
across it (and that PITS entry was made eighteen months ago,
I added it as a placeholder because I knew the bug was there. :-)

I may be able to come up with a simple fix that requires attr
permission in order to actually delete a page.

Pm




More information about the pmwiki-users mailing list