[pmwiki-users] self-registering for notification emails
Patrick R. Michaud
pmichaud at pobox.com
Mon Jun 5 09:48:15 CDT 2006
On Mon, Jun 05, 2006 at 10:23:46AM -0400, Neil Herber wrote:
> At 2006-06-05 09:11 AM -0500, Ben Wilson is rumored to have said:
> >For what it's worth, I am beginning to take a different approach to
> >the same thing. When you use (:if:) conditionals to conceal text,
> >remember that if a user can ?action=source, then the concealed text is
> >available.
>
> Hi Ben
>
> I am not sure that you have to be quite this cautious. Action
> "source" requires "edit" permission (at least it does on my wikis).
> One potential security leak is action "diff" which will expose edits
> to anyone with read access. The way around that is to recreate the
> page without history after an edit.
Another option is require edit permission for both source and diff:
$HandleAuth['source'] = 'edit';
$HandleAuth['diff'] = 'edit';
Pm
More information about the pmwiki-users
mailing list