[pmwiki-users] ZAPauth & PmWiki

The Editor editor at fast.st
Mon Oct 16 13:10:29 CDT 2006


As Pm is catching up on emails, thought I would repost this one that
has been perplexing me for awhile.

On 10/15/06, The Editor <editor at fast.st> wrote:
> I'm trying to improve the permissions systems in ZAP a bit to make it
> tie in better with PmWiki.  I want to give admins the ability to set
> various features to various auth levels, so that emailing might only
> be allowed to those with edit permission, file management only to
> those with upload permissions, or reading data to those with read
> permissions, etc.  Or whatever.
>
> I suppose you could also define custom actions and tap into them.
> Using AuthUser should also allow you to set groups, set things in
> GroupAttributes, etc.  It would extend the flexibility of PmWiki to
> ZAP very nicely.
>
> The question is, how do I access a given user's current auth level
> within a recipe such that I could say something like,
>
> SDV($ZAPauth[email], "admin");
> if( ~get users auth level~ == ZAPauth[email])  execute emailer()
>
> Also, on a related note, how does PmWiki avoid forged headers with an
> upload form?  I presume some sort of security checking is done to
> prevent users from tapping into the session variables.  Is it not that
> the submitters auth level, or perhaps some other PmWiki session
> variable is checked (that is difficult to spoof)?  If so, it seems
> this should perhaps be a default check for ZAP as well.  Right now I'm
> checking some session info but not any from PmWiki.
>
> Cheers,
> Caveman
>




More information about the pmwiki-users mailing list