[pmwiki-users] how to prevent access to the EditForm in a Forum

Florian Fischer Flori-Fischer at gmx.net
Tue Oct 31 04:07:58 CST 2006


-------- Original-Nachricht --------
Datum: Tue, 31 Oct 2006 09:51:38 +0000
Von: Hans <design5 at softflow.co.uk>
An: "Florian Fischer" <Flori-Fischer at gmx.net>
Betreff: Re: [pmwiki-users] how to prevent access to the EditForm in a Forum

> Tuesday, October 31, 2006, 8:59:36 AM, Florian wrote:
> 
> > i've implemented Forumstyled and commentboxplus in order to create a
> Forum.
> > This Forum is a group itself. Now i try to make this area secure. Well
> use a conditional to show
> > the commentbox if a user is loggedin has the edit rights for the
> Forumarea. Using dynamic
> > Pageactions the tab "edit" isn't available neither (only for
> > admins). But since the users having
> > edit-rights, they can open the Site.EditForm simply by adding
> > ?action=edit. This is what i would
> > like to prevent. How can this be made possible without setting a
> read-password on it?
> 
> I don't understand you quite.
> You say logged-in users have edit permission?
> so they see the commentbox, and can edit the page, even though the
> edit etc action links are shown only to the admin.
> This seems to be what should happen, since they have edit permission.
> 
> If you use authuser I think you can assign each user to a @user group,
> and have a conditional markup checking against this:
> (:if auth @user:)(:commentbox:)
> But I have not tested this.
> 
> 
> Hans

Hello Hans,

this is exactly what i've already done. But i try to explain it again. Normal users with editrights can edit by entering a message in the commentbox (visible by a conditional). This works fine. The output of (:commentboxchrono:) is shown above the commentbox. If a user with editrights knows that he can modify the already posted messages by entering the normal EditForm by adding ?action=edit to the URL, this isn't a good thing. And someone who is familiar to PmWiki knows that if he has editrights he can edit a message by adding ?action=edit although there are no editlinks. Is it possible to limit the access to the EditForm only to admins? In my Forum no one except the admin should be able to modify existing messages,i.e. the EditForm shouldn't be available for normal user with editrights. 

Any ideas?

Florian
-- 
GMX DSL-Flatrate 0,- Euro* - Überall, wo DSL verfügbar ist!
NEU: Jetzt bis zu 16.000 kBit/s! http://www.gmx.net/de/go/dsl




More information about the pmwiki-users mailing list