[pmwiki-users] security documentation for recipes

Patrick R. Michaud pmichaud at pobox.com
Tue Mar 4 11:20:31 CST 2008


On Tue, Mar 04, 2008 at 08:35:27AM +0100, Peter & Melodye Bowers wrote:
>    My understanding has been that as long as I go through the
>    RetrieveAuthPage() and UpdatePage() functions for ALL page-reading &
>    page-writing operations that they will enforce pmwiki authorizations &
>    security on my behalf.  Is that accurate?  Or do I need to check certain
>    authorizations explicitly?

UpdatePage() does not check any authorizations -- it simply updates
the page.

RetrieveAuthPage takes a number of parameters:

    $page = RetrieveAuthPage($pagename, $auth, $prompt, $since);

This will retrieve the page corresponding to $pagename
and verify that the visitor has $auth permissions on the
page (e.g., 'read', 'edit', 'attr', etc.).  If the visitor
has already established the appropriate authorizations to the
page, then the page data is returned (e.g., similar to ReadPage()).
If the visitor does not have authorization and $prompt is true,
then the visitor receives the Site.AuthForm page (asking for
a password or login).  If the visitor does not have authorization
and $prompt is false, then a false value is returned for $page,
indicating that they are not authorized.

Thus, I typically do something like:

    $page = RetrieveAuthPage($pagename, 'edit', false);
    if (!$page) { ...visitor does not have permission... }

Hope this helps,

Pm



More information about the pmwiki-users mailing list