[pmwiki-devel] check authorization requirements for a given page

Frank Schweickert f.schweickert at uva.nl
Thu Oct 1 16:54:48 CDT 2009


Problem solved, thanks to Dave and Hans!

For me and my users, this should do the trick in local/config.php
   $page = RetrieveAuthPage($pagename, 'read', true);
   if ($page['passwdedit']) Markup(...);

But could I have known about $page['passwdedit'] in the first place?
Did I overlook some documentation page, or is it just a matter of
reading pmwiki source code
(and/or every contribution in this mailing list)?

Kind regards,
Frank


DaveG wrote:
> <<back on list>>
>
> On 10/1/2009 4:25 PM, Frank Schweickert wrote:
>>
>>> In order to check for edit access to a page use RetrieveAuthPage():
>>> RetrieveAuthPage($pagename, 'edit', true, 0)
>> Yes, but this test would enable a malicious <script> on a not-password
>> protected page for authorized editors, wouldn' it? (no good!)
>> I wanted to make sure that <script> tags are ignored on any page that
>> does not require any password,
>> i.e. that has no password set along the "authcascade" (I found that word
>> somewhere...),
>> but that <script> is honoured for any even anonymous user on a page that
>> has some edit password set (to make sure it is a good script)
> So you want to:
> # ignore <script> tags on non-password protected pages
> # honor <script> tags for all pages with edit password set
>
> As you point out the problem with the RetrieveAuthPage approach is 
> that for non-password protected pages everyone has edit access. Then 
> in that case I think you'd need to check the password page attribute 
> (refer to the answers on my post earlier today "Setting page privs 
> from config.php"). You can do that by using code similar to what Hans 
> suggested:
>
>    $page = RetrieveAuthPage($pagename, 'read', true);
>    if (!$page) echo "?cannot read $pagename";
>    if ($page['passwdedit']) { DEFINE MARKUP }
>    else { BLANK OUT THE MARKUP }
>
>
>  ~ ~ Dave
>


-- 
_______________________________________________________________________
Dr. Frank F. Schweickert
AMSTEL Institute, Faculty of Science, University of Amsterdam
Science Park 904, Amsterdam, Room C2-1.22
Postal address: Postbus 94224, 1090 GE Amsterdam
Phone: +31 20 525-8475 (secr. -5886)
http://www.science.uva.nl/amstel
http://www.natsim.net





More information about the pmwiki-devel mailing list