[pmwiki-users] How to detect if a page has @nopass for the read password
Petko Yotov
5ko at 5ko.fr
Tue Jul 13 16:20:12 CDT 2010
On Tuesday 13 July 2010 13:41:27, Eemeli Aro wrote :
> Which actually raises an interesting point: is it really sensible that
> page variables don't obey any permissions, but are always accessible?
> Page text variables are protected, mind. Would it really give a huge
> performance hit if PageVar() also checked for permissions before
> processing a page variable?
Most default PageVariables have to be visible even if the page is read-
protected, for example {$Author}, {$Group}, {$FullName}, {$DefaultGroup} etc.,
otherwise major parts of PmWiki may break, notably links and skins. And
because the PageVariables are 'eval'-uated from strings, we can't know in
advance if a page should or shouldn't be checked against permissions. So we
don't check. I don't think that is a problem that needs to be addressed at the
moment.
If admins add new PageVariables, they should know that these are potentially
visible for all pages. We should document this. OTOH, a PV can be defined with
a custom function which uses RetrieveAuthPage() to check permissions.
Petko
More information about the pmwiki-users
mailing list