[pmwiki-users] Fwd: ZAP Auth question

The Editor editor at fast.st
Tue Oct 10 13:35:45 CDT 2006


On 10/10/06, Ben Stallings <Ben at interdependentweb.com> wrote:
> Caveman wrote,
> > After thinking about it a bit, I would like to try to rework part of
> > the authorization system within the soon coming ZAP forms processing
> > engine.  Namely I have:
> >
> > SDV($EnableZAPemail, "false");
> > SDV($EnableZAPfiles, "false");
> >
> > As I have it now, to use the email or file management system, these
> > must be set to true in a local config file.  Is there perhaps some way
> > to get the submitters auth level and use that as a check?  Something
> > like
> >
> > SDV($ZAPauth[email], "admin");
> > SDV($ZAPauth[files], "edit");
> >
> > With this of course, you could override the auth required for specific
> > forms in a local config file.
>
> I'm not clear yet on how the file-management system works, so I'll limit
> my response to the email form functionality: do you distinguish between
> the ability to create a mail form and the ability to use a mail form?
> It seems to me that the part of a mail form you'd want to restrict is
> the ability to specify recipients.

Actually, it is only to limit form functionality.  Of course, on my
site everything is edit protected. I give people edit privileges
through magic boxes which are much easier to use, and more secure. So
no one can create forms on their own, generally. These extra security
steps are for those who have more open wiki's.

> I use the MailForm recipe on my sites, and one thing I really like about
> it is that although anybody with edit privs can create a mailform, the
> possible recipients are defined in the config.php, well out of their
> reach, making the recipe basically harmless.  So perhaps if you focus on
> restricting access to the list of recipients, it might not be necessary
> to restrict access to the mailing function.

Since the recipients are either in a hidden field or an undisclosed
mail list, in edit protected sites forms are safe from being misused.
For more open sites, I wanted to disable the emailing features for
either groups or by auth level (ie the EnableZAPemailer or ZAPauth[]).
 This may be better than the MailForm recipe as you have more
flexibility:  admins can easily send messages to anyone, or easily
update mail lists, but non admins won't be able to send a form at all
to anyone. (Unless you want to let them, and then only to those you
want to let them send it to...)

> Another approach would be to turn on dangerous functionality only for
> specified page groups.  In other words, if I want to use the
> file-management utility (I said I wasn't going to talk about this) in
> the FileManagement group, I would need to specify in my config.php
>   $ZAPauth['files'] = array('FileManagement');
> This would give me every opportunity to set up an edit password for the
> FileManagement group before ZAPping it.  The program would check if
> (inarray($Group, $ZAPauth['files'])) before running the file-management
> function.  --Ben S.

Well that is the idea behind the EnableZAPemailer/EnableZAPfiles. They
can be enabled only in the groups/pages you want in a local config
file. But it might be easier to set up as an array in the main
config.php file, rather than having to enable every where it is
needed... I'll see if I can't come up with a way to tap into the
userauth though...  A very good idea.

I like the idea of ZAPping the form.  I do think we have the right name!

Cheers,
Caveman




More information about the pmwiki-users mailing list