[pmwiki-users] spam despite edit restriction

The Editor editor at fast.st
Mon Nov 27 19:05:32 CST 2006


On 11/26/06, Hans <design5 at softflow.co.uk> wrote:
> Sunday, November 26, 2006, 4:59:12 PM, The wrote:
>
> > One way around this is to have some kind of authorization built into
> > the recipe that verifies the form submission is authentic. If you are
> > interested in using zap's approach I could point you to the
> > appropriate lines of code.  It works pretty nice and could be
> > transported to your recipe. Basically it causes forged headers to be
> > ignored.
>
> I would be interested to know how forged headers can be ignored.

If you will look in the main ZAP module you'll see a function called
ZAPform which sets a session variable with information about the
form's contents. Then when the form is submitted, the recipe runs a
function ZAPsecure right at the very beginning.  This checks to see
that the appropriate session variable was set or the form is canceled
(ZAPwarning). The first function is run as part of the markup creating
the form, the second as part of the forms processing engine once the
form is submitted.  It's like a key in a lock.

Because ZAP is so open-ended, I have a somewhat complex optional "lock
pattern" you can use to define the exact form fields allowed in the
submitted form and even their values. You might be able to simplify
that and move it into the recipe if you only use one standard form.
There are also some other lines I've added for various features
(uploads, etc.) you may also be able to delete.

These two functions are about 2/3 of the way down toward the end or
more.  Let me know if you have trouble making heads of the code. I'll
try to explain any questions you have.  But you're a much better coder
than me and you will probably be able to suggest ways to improve my
code.  : )

> > I do have a function that checks the submitters auth level and can be
> > set to check the submitter has edit privileges, but that doesn't solve
> > the problem I think you mentioned, of things like forums, etc, where
> > people might be posting who cannot edit.  Also, I suspect you already
> > have that built in to your recipe.
>
> PmWiki has a function CondAuth($pagename, 'auth_level')
> which can be used for checking privileges, I discovered today.
> I added a note to page Pmwiki.Functions

Yes, that's the function I use in ZAP. That and checking for lock patterns also.

Cheers,
Caveman

PS.  I'll be uploading a revision to the code sometime in the next few
days which allows ZAPforms to be used in sidebars, which will shuffle
the functions around a bit, basically splitting the session setting
lines from ZAPform into a function called ZAPsetkey.  But if you look
at what's up now it's all in ZAPform.




More information about the pmwiki-users mailing list