[pmwiki-users] ZAPauth & PmWiki
The Editor
editor at fast.st
Mon Oct 16 13:10:29 CDT 2006
As Pm is catching up on emails, thought I would repost this one that
has been perplexing me for awhile.
On 10/15/06, The Editor <editor at fast.st> wrote:
> I'm trying to improve the permissions systems in ZAP a bit to make it
> tie in better with PmWiki. I want to give admins the ability to set
> various features to various auth levels, so that emailing might only
> be allowed to those with edit permission, file management only to
> those with upload permissions, or reading data to those with read
> permissions, etc. Or whatever.
>
> I suppose you could also define custom actions and tap into them.
> Using AuthUser should also allow you to set groups, set things in
> GroupAttributes, etc. It would extend the flexibility of PmWiki to
> ZAP very nicely.
>
> The question is, how do I access a given user's current auth level
> within a recipe such that I could say something like,
>
> SDV($ZAPauth[email], "admin");
> if( ~get users auth level~ == ZAPauth[email]) execute emailer()
>
> Also, on a related note, how does PmWiki avoid forged headers with an
> upload form? I presume some sort of security checking is done to
> prevent users from tapping into the session variables. Is it not that
> the submitters auth level, or perhaps some other PmWiki session
> variable is checked (that is difficult to spoof)? If so, it seems
> this should perhaps be a default check for ZAP as well. Right now I'm
> checking some session info but not any from PmWiki.
>
> Cheers,
> Caveman
>
More information about the pmwiki-users
mailing list