[pmwiki-users] [pmwiki-devel] check authorization requirements for a given page
DaveG
pmwiki at solidgone.com
Thu Oct 1 15:58:55 CDT 2009
<<back on list>>
On 10/1/2009 4:25 PM, Frank Schweickert wrote:
>
>> In order to check for edit access to a page use RetrieveAuthPage():
>> RetrieveAuthPage($pagename, 'edit', true, 0)
> Yes, but this test would enable a malicious <script> on a not-password
> protected page for authorized editors, wouldn' it? (no good!)
> I wanted to make sure that <script> tags are ignored on any page that
> does not require any password,
> i.e. that has no password set along the "authcascade" (I found that word
> somewhere...),
> but that <script> is honoured for any even anonymous user on a page that
> has some edit password set (to make sure it is a good script)
So you want to:
# ignore <script> tags on non-password protected pages
# honor <script> tags for all pages with edit password set
As you point out the problem with the RetrieveAuthPage approach is that
for non-password protected pages everyone has edit access. Then in that
case I think you'd need to check the password page attribute (refer to
the answers on my post earlier today "Setting page privs from
config.php"). You can do that by using code similar to what Hans suggested:
$page = RetrieveAuthPage($pagename, 'read', true);
if (!$page) echo "?cannot read $pagename";
if ($page['passwdedit']) { DEFINE MARKUP }
else { BLANK OUT THE MARKUP }
~ ~ Dave
More information about the pmwiki-users
mailing list