[pmwiki-users] commenting to private pages
Hans
design5 at softflow.co.uk
Tue Dec 19 15:22:19 CST 2006
Tuesday, December 19, 2006, 8:58:54 PM, Neil wrote:
> I would not want anyone without the correct permissions to be able to
> post to a read protected page except under one circumstance: posting to
> a "private comments" page. In this case I want people to be able to
> leave comments, but not see comments that others have left. I don't want
> a separate page for each comment. In some ways it is like email - once
> you have sent it, you can't edit it and only the designated reader can
> see it.
The way Fox will handle this, once I put in the switch to ReadPage(),
bypassing Auth, is that you can create a comment form specifying a
target page. The target page can be read and edit protected, and the
page with the comment form can be edit protected.
And as a additional security matter, Fox got an array of allowed (and
disallowed) pagename patterns, with which an admin can restrict the
choice of page names Fox may post to.
A third measure is requiring users to enter a random generated access
code.
A fourth measure is disabling posting of directives.
I hope these measures are sufficient safeguard for sites which
want to allow commenting or other form posting to users who have no
edit rights in general.
For sites wishing to restrict posting to logged in users with general
edit permission the admin can set $FoxAuth to 'edit', and then all
page reads, for adding or deleting posts, require edit permission.
If I missed anything blatant, or otherwise, please let me know!
Hans
More information about the pmwiki-users
mailing list