[pmwiki-users] RSS Security issue
Patrick R. Michaud
pmichaud at pobox.com
Sun Apr 17 08:57:56 CDT 2005
On Sun, Apr 17, 2005 at 05:55:24AM -0400, Crisses wrote:
> When I have RSS enabled and Main/Blocklist is in the RecentChanges
> page, but is edit & read passworded, it still shows up in the RSS feed.
>
> ie http://www.kinhost.org/wiki/Main/RecentChanges?action=rss
> [...]
> This page is passworded via /local/Main.Blocklist.php
It's not possible to read-protect pages/groups via the per-page
(or per-group) customizations, because those customizations aren't
loaded when you aren't accessing that page directly.
In this case, since you're accessing Main.RecentChanges,
local/Main.Blocklist.php isn't being loaded and so the page
appears unprotected.
Page and group passwords should always be done through ?action=attr.
Pm
More information about the pmwiki-users
mailing list