[pmwiki-users] Why all this zapping?

The Editor editor at fast.st
Tue May 1 11:33:12 CDT 2007


On 5/1/07, Ben Stallings <ben at interdependentweb.com> wrote:
> Patrick R. Michaud wrote:
> > This understates/misstates my point.  If ZAP is enabled on
> > _any_ publicly accessible pages, then an author with edit permission
> > to any other page on the site -- even pages where ZAP isn't
> > "enabled" -- can use ZAP directives to modify any other page on
> > the site.
>
> My first reaction to this was, "That's not true!" and indeed, when I
> tried it on a site using UserAuth, it was not.  It may also not be true
> under AuthUser, where Dan has done most of his testing (and I have not).
>  But using regular PmWiki authentication it is, in fact, possible for a
> user to save data to pages where s/he has no edit privileges.
> Fortunately for me, none of my sites use regular PmWiki authentication.
>  But I hope you'll look into this soon, Dan!  --Ben


Again this is a feature not a bug in ZAP.  It's so users can post
comments etc., to pages they cannot edit.  As far as I know however,
they cannot do this unless ZAP is enabled on those page--which is what
Pm is suggesting.

You do need to block edit access to pages where ZAP is enabled or take
one of ZAP's other security measures on those pages, as stated clearly
in the tutorials on security at ZAPsite.

Cheers,
Dan



More information about the pmwiki-users mailing list