[pmwiki-users] ajax-like skins (was: new recipe ShowHide)

John Rankin john.rankin at affinity.co.nz
Thu Mar 2 17:31:49 CST 2006


On Friday, 3 March 2006 11:58 AM, Robin Sheat <robin at kallisti.net.nz> wrote:
>On Friday 03 March 2006 11:48, John Rankin wrote:
>> How does AJAX address security? If I can read, but not edit, how
>> does it know whether "go here to edit the page" is an allowed
>> show/hide event in browse mode?
>Well, all the requests go via the server, it's simple enough for the 
>server to say 'Not authorised', or open a password box or something.
>-- 
>Robin <robin at kallisti.net.nz> JabberID:
><eythian at jabber.kallisti.net.nz>
>
(after a small earthquake...)

I like that "simple enough" -- so I haven't thought it through. 
As I understand Jon's proposal, we browse a page, then we 
click an edit link the browser does a 'hide' of the page and 
'show' of the edit form. So far, this is through a pmwiki 
?action=browse, and pmwiki's HandleBrowse doesn't know whether 
the user is authorised to edit. So, pmwiki shows the reader an
edit screen on the same basis that ?action=source doesn't normally
require an edit password, but if the reader presses Save or
Preview, this invokes a HandleEdit and the reader gets prompted
for an edit password as normal, if necessary.

So we just need to refine the definition of $HandleBrowseFmt.
Got it. As long as we don't mind showing an edit screen to a
person who may not have edit access rights, "it just works".
A reader can see an edit screen, but not save any edits without 
a password. And I guess it's "simple enough" to make HandleBrowse
smarter and prevent access to the show edit screen toggle.


Thanks for that.
-- 
JR
--
John Rankin






More information about the pmwiki-users mailing list