[pmwiki-users] UserAuth2 : Working with ZAP?

The Editor editor at fast.st
Tue Dec 11 17:56:54 CST 2007


Dean,

I'm not keeping up with ZAP/PmWiki too much, but I think you can
disable the call for the ZAP password, by commenting out lines 17-18
in zap.php, like:

// $PageAttributes['passwdzap'] = 'Set ZAP forms password: ';
// SDV($DefaultPasswords['zap'],'');

This action is not password protected, by default, so commenting them
out should not make ZAP any less secure. These lines only give the
option for individuals to tap into PmWiki's built in permission
controls (page attributes).

I never used that option myself, nor do I know of others who did, so
you won't be losing out on much functionality. But should there ever
be a ZAP upgrade, you will need to remember to repeat your hack, so
make a note somewhere...

Cheers,
Dan


On 12/11/07, Dean Staub <dean at staub.id.au> wrote:
>
>  ThomasP wrote:
>  On Sun, December 9, 2007 2:52 am, Dean Staub wrote:
>
>
>  First, Thank you Thomas for your work on the new module. It is a huge
> improvement over the former system - well done.
>
> I do however have a few small problems that I need to get to the bottom
> of. I have for example the latest version of ZAP installed and I can't
> get it to work.
> It says "You are not authorized to submit this form." and the test
> button function does nothing. How do I get around this?
>
> Another issue is I can't seem to access the Attribute pages when I am
> logged in as Admin. I understand this is not usually necessary, but in
> the case of Zap which adds a privilege to the attributes page I cant set
> it to no password (or clear it) This may have come from previous
> settings in the Attributes pages prior to installing your module.
>
>
>  Hi, thanks.
>
> I remember to have scrapped the "attr" level altogether (since no
> attribute pages had sense in my module), but one can simply reintroduce it
> as the the pure editing of the attribute pages will have no adverse effect
> on the functioning of module. One will have to establish some action-level
> mapping like
>
> attr => admin
>
> (if you have a single admin setup), or rather something more elaborate
> otherwise (unless you want every admin to access attribute pages).
>
> The form submitting in ZAP will demand some more effort, as I have not
> used it myself before. A good starting point is to download the debug
> function from my profile page and use the built-in logging calls to look
> at what privilege is actually requested and denied. I can walk you through
> this in case you come across a stumbling stone.
>
> More or less the following:
>
> - download debug.php, put in cookbook dir
> - activate it in the local/config.php
> - set as the event that you want to observe "USAU"
> - go to the TryAccessingPage() in userauth2.php and uncomment every
> logging that might be interesting
> - sprinkle the code (after the append calls) with flushUA2ErrorLog()
> calls. [This would have usually been cared for by an exit handler.]
>
> I'm sure that this will lead us to the right info.
>
> Thomas
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>  Hi Thomas, thanks for your response.
>
>  I have found some time to follow your instructions above.
>  The results of your debug output are as follows for the error accessing a
> zap function;
>
>  2007-12-12 09:18:56 EST  USAU  Someone trying to access page Site.ZAPConfig
> at level read.
>  2007-12-12 09:18:56 EST  USAU  Site.ZAPConfig is a content page: yes
>  2007-12-12 09:18:56 EST  USAU  Access to Site.ZAPConfig at level read
> granted.
> --------------------------------------------------------------------------------
>  2007-12-12 09:19:22 EST  USAU  Warning: Someone asking for permission for
> unknown level 'zap'. Refused.
>
>  and for accessing the attribute page I get;
>  2007-12-12 09:49:16 EST  USAU  Someone trying to access page Site.ZAPConfig
> at level attr.
>  2007-12-12 09:49:16 EST  USAU  Site.ZAPConfig is a content page: yes
>  2007-12-12 09:49:17 EST  USAU  Access to Site.ZAPConfig at level attr NOT
> granted.
>  2007-12-12 09:49:17 EST  USAU  Current cache utilization: 26 perm queries,
> 0 user recs, 1 group recs, 0 ip range recs.
>  2007-12-12 09:49:17 EST  USAU  In total 1 uncached perm record loads, 1
> uncached perm queries.
>
>  I'm sorry, I am no expert at php, just a bit of a hacker, otherwise I would
> invest some time into trying to solve it myself.
>  (I have a single admin setup)
>  If you could lead me in the right direction here, I would be most greatful
> to test any ideas you have.
>
>  Also just a note about your Debug.php script, I had to also add the line
> $EnableDebug = 1; for it to work (I didn't see it mentioned on your profile
> page :-) )
>
>  Dean
>
>
>
>
>
>
>  This email and any attachments are confidential. They may contain legally
> privileged information or copyright material. You should not read, copy, use
> or disclose them without authorization. If you are not an intended
> recipient, please contact us at once by return email and then delete both
> messages. We do not accept liability in connection with computer virus, data
> corruption, delay, interruption, unauthorized access or unauthorized
> amendment.
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>



More information about the pmwiki-users mailing list