[pmwiki-devel] Reading the page, and forcing a re-read

Tue Sep 8 13:50:12 CDT 2009

Eemeli Aro wrote:
> Now, all that needs to be permitted is 'edit' or 'publish' access to
> pages in the comment group when using the action 'pmform', which I've
> done by defining a wrapper function around $AuthFunction (by default,
> PmWikiAuth) which is called by RetrieveAuthPage, which is what eg.
> CondAuth uses internally. It's this $AuthFunction that's maintaining
> any cache of authorization permissions, hence a wrapper around it
> isn't bothered by any previous page reads.
> 
> Now, the way RetrieveAuthPage is used almost always (including PmForm)
> is by calling it with a page name and a level of authorization that
> should be checked, and if the return is false that means authorization
> has been denied, otherwise the return is the requested page. What my
> wrapper does is before calling $AuthFunction it checks for a specific
> set of conditions and if those match, it calls $AuthFunction for the
> comment page in question using 'read' permission instead.
> 
> So take a look at the BlogeAuth function near the end of bloge.php for
> a possible answer. The other stuff that BlogeAuth does allows for
> anonymous users to edit their comments for up to half an hour from
> their last edit and helps hide blog posts that are drafts or with
> future create dates from being seen by anonymous users. The really
> tricky part is keeping those pages from showing up in pagelists, which
> maintain their own cache that uses RetrieveAuthPage slightly
> differently from everything else.
Based on this, I think I have things working pretty well. I've not yet 
tested with the scenario that caused issues, but the basics are working. 
Essentially I do this:

if ( COMMENTING ) {
    #Force read privs for public commenting
    $page = PmWikiAuth($pagename, 'read', $authprompt, $since);
}else{
    #If not commenting, let default PmWiki authorization take place.
    $page = PmWikiAuth($pagename, $level, $authprompt, $since);
}

This is simplified a little, and I don't hard-code with a call 
PmWikiAuth. Am I correct in this approach, or have I missed something?

[1] Also, I was curious from a Bloge perspective, what is the purpose of 
this line, which seems to say "if we don't prompt the user for 
credentials don't allow access" - when would $authprompt be false?
    if (!$authprompt) return FALSE;

[2] I *think* the purpose of these line is to override the 
authentication levels for the current page. ie, current user has 
read/edit permissions. Is that correct? Thus, subsequent calls to 
something like CondAuth would return read privs.
    $page['=auth']['read'] = 0;
    $page['=passwd']['read'] = $page['=passwd']['edit'];

[3] The way I interpret the code, is Bloge may do multiple calls to 
$BlogeAuthFunction -- possibly as many as three calls. I suspect the 
logic conditions on each would preclude 3 calls, but minimally it will 
be 2 calls. Is there a reason for that?