[pmwiki-users] How to protect against vandalism?
Peter & Melodye Bowers
pbowers at pobox.com
Tue Aug 5 09:21:53 CDT 2008
>I now have a "please enter qdk below" on my authform. That's great when a
>user is trying to edit an open page. But it can be confusing when a
>particular page has a different password or if someone is trying to change
>attributes rather than edit the page. Is there any way to put this message
>only when someone is editing an "open" page?
Is a solution like this pretty risky security-wise?
===(snip config.php)===
if ($action == 'edit') {
echo "action=edit<br>\n";
$FmtPV['$editpass'] = '$page["passwdedit"]';
}
===(snip)===
===(snip Site.AuthForm)===
(:if [ equal {$editpass} "" && equal {$Action} "edit" ] :)Please try qdk if
you don't know the password(:ifend:)
===(snip)===
Setting my password to a pagevar seems pretty weird, even though it will be
encrypted. However, I only do it when the action is "edit" when
(theoretically?) nobody could be doing anything to obtain it...
So, the question: is this pretty dangerous or does it seem OK from a
security standpoint?
-Peter
More information about the pmwiki-users
mailing list