[pmwiki-users] &action=source

Randy Brown randy at brownragfilms.com
Tue Jun 30 18:27:32 CDT 2015


Beware: An edit password will not protect everything on a readable page that is hidden by (:if false:). This is because an unauthorized user can use (:include:) on another page with the lines= option to circumvent your conditional.

If you need something to be well protected, put it on a separate read protected page. If you need to see it sometimes on an unprotected page depending on a conditional, you can include it from the protected  page - it will only be visible to users who can read both pages.

Randy

On 2015-06-28 22:53, JamesM wrote:
> I've been using pmwiki for a few years, and have only just discovered 
> the
> &action=source thing.
> Unfortunately, this shows the entire source, including things written 
> after
> (:if false:), which I use for hiding information (it's on a lecture 
> course
> website, and I have some stuff hidden from student view).
> 
> So, how can I disable &action=source?
> Or better, password protect it.
> 
> I tried putting
> $DefaultPasswords['source']=' .... ';
> into config.php.  This works for ['admin'] and ['edit'] but seems to 
> make
> no difference for ['source'].



More information about the pmwiki-users mailing list