[pmwiki-users] ZAP Auth question
Ben Stallings
Ben at InterdependentWeb.com
Tue Oct 10 12:32:32 CDT 2006
Caveman wrote,
> After thinking about it a bit, I would like to try to rework part of
> the authorization system within the soon coming ZAP forms processing
> engine. Namely I have:
>
> SDV($EnableZAPemail, "false");
> SDV($EnableZAPfiles, "false");
>
> As I have it now, to use the email or file management system, these
> must be set to true in a local config file. Is there perhaps some way
> to get the submitters auth level and use that as a check? Something
> like
>
> SDV($ZAPauth[email], "admin");
> SDV($ZAPauth[files], "edit");
>
> With this of course, you could override the auth required for specific
> forms in a local config file.
I'm not clear yet on how the file-management system works, so I'll limit
my response to the email form functionality: do you distinguish between
the ability to create a mail form and the ability to use a mail form?
It seems to me that the part of a mail form you'd want to restrict is
the ability to specify recipients.
I use the MailForm recipe on my sites, and one thing I really like about
it is that although anybody with edit privs can create a mailform, the
possible recipients are defined in the config.php, well out of their
reach, making the recipe basically harmless. So perhaps if you focus on
restricting access to the list of recipients, it might not be necessary
to restrict access to the mailing function.
Another approach would be to turn on dangerous functionality only for
specified page groups. In other words, if I want to use the
file-management utility (I said I wasn't going to talk about this) in
the FileManagement group, I would need to specify in my config.php
$ZAPauth['files'] = array('FileManagement');
This would give me every opportunity to set up an edit password for the
FileManagement group before ZAPping it. The program would check if
(inarray($Group, $ZAPauth['files'])) before running the file-management
function. --Ben S.
More information about the pmwiki-users
mailing list