[pmwiki-users] Making new pages only editable by creator with AuthUser

Patrick R. Michaud pmichaud at pobox.com
Wed Sep 13 08:15:01 CDT 2006


On Tue, Sep 12, 2006 at 04:55:51PM -0400, Pierre Racine wrote:
>    I trying to build a site using AuthUser where users can create pages that
>    are automatically only editable by them (and by the site admin).
> 
>    My config.php already contain this:
> 
>    $DefaultPasswords['admin'] = crypt(`******');
>    include_once("$FarmD/scripts/authuser.php");
>    $Author = $AuthId;
>    $EnablePostAuthorRequired = 1;
>    include_once('cookbook/login.php');
>
>    If I set a default password for the edit action:
> 
>    $DefaultPasswords['edit'] = crypt('******);
> 
>    the system keeps on asking for a password until I give the admin one.
> 
>    Without this restriction, even if I've set a site password, anybody can
>    get to the edit page. They can not save it because I removed the author
>    field and EnablePostAuthorRequired is set but this is another story. Isn't
>    that a bug that they can get to the edit page?

No, not really -- we just have to look at the question correct, 
as it has two parts:  (1) who is allowed to create a page, and
(2) who is allowed to edit a page once it's created?

For the first part (who is allowed to create a page), if you want to 
limit page creation to register users, then you need

    $DefaultPasswords['edit'] = 'id:*';

This says that only people who are logged in can edit a page.

For the second part (limiting editing of a page to its creator),
we need a special function in the editing sequence to set the
initial password of a page.  Fortunately this isn't too
difficult -- put the following in config.php:

    function OnlyCreatorEdit($pagename, &$page, &$new) {
      global $AuthId;
      if (!PageExists($pagename))
        $new['passwdedit'] = "id:$AuthId";
    }

    array_unshift($EditFunctions, 'OnlyCreatorEdit');

This automatically adds an 'edit' password to any newly
created page; the edit password limits further editing to
the identity of the person that created it.

Of course, the admin password overrides all restrictions,
as always.

Hope this helps,

Pm




More information about the pmwiki-users mailing list