[pmwiki-devel] ZAP farms: a modest proposal for security

Neil Herber (nospam) nospam at eton.ca
Thu May 3 12:18:44 CDT 2007


On 2007-05-03 Patrick R. Michaud is rumoured to have said:
> But, I think that for the situation I described above, where we want authors to be able to use ZAP features but still have a need to protect them from each other, the outcome of this suggestion would be that each author (or each partition of authors that can trust each other) would therefore need its own field. That's probably workable to some extent, but I don't think it's what most people expect. 

Any recipe that allows access to pages that are supposed to be protected 
(by edit or admin password) would be of concern to me. In particular, 
where I use AuthUser to grant access to particular groups, I would be 
very concerned that someone could "upgrade" their access privileges.

Keeping users walled off from each other is one worry, but being able to 
alter Site group pages is an even bigger worry.

I switched from using 4 wikis in a farm to a single wiki with AuthUser 
because it simplified my admin tasks. I still use a farm to run separate 
wikis.

-- 
Neil Herber
Corporate info at http://www.eton.ca/



More information about the pmwiki-devel mailing list