[pmwiki-users] ZAP Auth question

Ben Stallings Ben at InterdependentWeb.com
Tue Oct 10 12:32:32 CDT 2006


Caveman wrote,
> After thinking about it a bit, I would like to try to rework part of
> the authorization system within the soon coming ZAP forms processing
> engine.  Namely I have:
> 
> SDV($EnableZAPemail, "false");
> SDV($EnableZAPfiles, "false");
> 
> As I have it now, to use the email or file management system, these
> must be set to true in a local config file.  Is there perhaps some way
> to get the submitters auth level and use that as a check?  Something
> like
> 
> SDV($ZAPauth[email], "admin");
> SDV($ZAPauth[files], "edit");
> 
> With this of course, you could override the auth required for specific
> forms in a local config file.

I'm not clear yet on how the file-management system works, so I'll limit 
my response to the email form functionality: do you distinguish between 
the ability to create a mail form and the ability to use a mail form? 
It seems to me that the part of a mail form you'd want to restrict is 
the ability to specify recipients.

I use the MailForm recipe on my sites, and one thing I really like about 
it is that although anybody with edit privs can create a mailform, the 
possible recipients are defined in the config.php, well out of their 
reach, making the recipe basically harmless.  So perhaps if you focus on 
restricting access to the list of recipients, it might not be necessary 
to restrict access to the mailing function.

Another approach would be to turn on dangerous functionality only for 
specified page groups.  In other words, if I want to use the 
file-management utility (I said I wasn't going to talk about this) in 
the FileManagement group, I would need to specify in my config.php
  $ZAPauth['files'] = array('FileManagement');
This would give me every opportunity to set up an edit password for the 
FileManagement group before ZAPping it.  The program would check if 
(inarray($Group, $ZAPauth['files'])) before running the file-management 
function.  --Ben S.




More information about the pmwiki-users mailing list