[pmwiki-users] New Acme recipe...

Hans design5 at softflow.co.uk
Wed Apr 18 08:42:28 CDT 2007


Wednesday, April 18, 2007, 1:59:05 PM, The wrote:

> I have not studied the Fox security system in any degree, but if Hans
> is only relying on POST values to give users access to page editing
> functions, I'd say it is at the very least a potential security risk.
> I have mentioned this to Hans and even offered code to help with it,
> but it has not been used to my knowledge.

Since you mention Fox and calling it at the very least a potential security
risk: please substantiate this claim.
I don't know what you mean with "give users access to page editing
functions". But I  know that with Fox it is possible to post content
into pages, and also to delete posted sections if delete links are
part of the template. You cannot delete pages, and you cannot
overwrite content in pages. And Fox has so far no page edit function.
Plus the scope of pages or groups fox can post is by default very
restricted and can be set to any kind of more or less restrictive
pattern. Plus the general authorisation level for posting can be choosen
by the admin, for instance to allow only posting if you got page edit
rights.

I have not made claims about ZAP security. Nor could I.

Hope this helps for clarification.



  ~Hans




More information about the pmwiki-users mailing list