[pmwiki-users] Posting Permission Patterns

The Editor editor at fast.st
Fri May 4 15:44:00 CDT 2007 

On 5/4/07, Hans <design5 at softflow.co.uk> wrote:
> Friday, May 4, 2007, 8:08:04 PM, Patrick R. Michaud wrote:
>
> > For the approach I'm using, the admin (or recipe) defines not
> > only pattern pages, but also the forms and other requirements
> > before posting.
>
> > Effectively, the page-pattern array will say "if a page name fits
> > this pattern, then *this* is the string check pattern to assume
> > is on that page."
>
> > So, if I were using Fox's markup, it would have entries like:
>
> >     'Site.*' => '',               # disallow updates to Site.*
> >     'PmWiki.*' => '',             # disallow updates to PmWiki.*
> >     '*-Talk' => ':foxappend',     # we can append to *-Talk
> >     '/PITS.\\d+/' => ":fox 'formname'"  # we can update PITS.\\d with formname
>
> Hmm, is this perhaps not going too far? At least for what Fox can do
> at the moment? Fox will either append or prepend posted content, so
> specifying which does not make much difference. And ":fox 'formname'"
> as a way of specifying a specific fox form is not really secure, as
> one could use any name for formname.
>
> Also it does not provide a way to post to existing or new pages which
> have no string check pattern. I think for anything like a forum or a
> blog which creates all the time automatically new pages we need to use
> no string check pattern for target pages. How would you allow for
> these?
>
> That's why I did not want to mix string check patterns with pagename
> patterns.


Just to compare, ZAP now can lock down all page writing except where
explicitly allowed on a config page (and likewise all commands except
where enabled).

There's no allowed targets if the system is engaged, and allowed pages
are only allowed for specific target pages from specific form pages.
Site pages are especially blocked, requiring also a config variable.

Here's the syntax you would use in ZAP:

Snippets_Forum: Forum  (only this page can post to this group)
Snippets_Log: Log.2007-* (only this page can post to pages matching this)
Snippets_Test: Snippets.Test (only this page can only post to itself)
Snippets: Demo (any page in this group can post to any page in the other group)

And again, you still could not write to a page unless a write type
command was enabled.

Also on a closed edit system, you could skip creating these config
pages, and you would have full ZAP power everywhere with no extra
admin trouble. Seems to be working cool...

Cheers,
Dan

More information about the pmwiki-users mailing list