[pmwiki-users] ZAPauth & PmWiki
The Editor
editor at fast.st
Tue Oct 17 14:40:51 CDT 2006
Good news! I was able to get the form securing process in good
working order. The session variable is named as ZAPlock[] with the
array being the random number. When I submit a lock pattern into the
ZAPform markup like field1,field2=value,field3 it eliminates any
unlisted POST fields and overrides any change values. I guess I'll go
ahead and add pagename in there too. Should be quite a lock!
However, the ZAPauth is evidently still not working... The following
conditionals seem to be failing, even though I'm logged in as an
admin...
SDV($ZAPauth[login], "read");
SDV($ZAPauth[admin], "admin");
$HandleActions['zap'] = 'ZAPengine';
function ZAPengine($ZAPflag=0, $pagename, $auth='zap') {
global ...
foreach ($_POST as $field => $value) {
if(CondAuth($pagename, $ZAPauth[login])) { // problem here
if ($field == "login") ... continue;
if ($field == "required") ... continue;
} // ends login fields
if(CondAuth($pagename, $ZAPauth[admin])) { // problem here
if ($field == "email") ... continue;
if ($field == "deletepages") ... continue;
} // ends admin fields
... rest of engine code
Any suggestions?
For review: it's suppose to allow/disallow certain functions based on
their permissions relevant to the current page. To allow additional
functions in a form, you just lower the ZAPauth required in a local
config page (for example change $ZAPauth[admin] from 'admin' to 'read'
and user's with read permission can submit an email form).
The CondAuth function though seems to be failing because the actions
aren't being done.
Cheers,
Caveman
More information about the pmwiki-users
mailing list