[pmwiki-users] Permissions, edits and comments

Patrick R. Michaud pmichaud at pobox.com
Sat Sep 30 11:59:49 CDT 2006


On Sat, Sep 30, 2006 at 11:44:37AM -0500, Patrick R. Michaud wrote:
> On Sat, Sep 30, 2006 at 10:02:39AM -0500, Patrick R. Michaud wrote:
> > On Sat, Sep 30, 2006 at 04:52:39PM +0200, Mike wrote:
> > > As posted before,
> > > CommentBox seems to have a possible security issue by allowing users to
> > > post directives, 
> 
> If you're running 2.2.0-beta7 or later and want to try an
> automatically downloaded blocklist for commentbox, this
> ought to now be possible with:
> 
>   $EnableBlocklist = 1;   
>   if ($action == 'comment')
>     $BlocklistDownload['Site.Blocklist-comment'] = array('format' => 'pmwiki');

OOOOPS.  No, this won't work yet.  Turns out that
commentboxplus.php is using HandleEdit, which means
that the above will prevent people from adding comments
to pages that already have a (:title:) directive on them.

I'll have think a bit more about how we might handle
per-action blocklists -- this really isn't something 
that we had explicitly contemplated before now (at
least I wasn't aware of it).

(Pm prepares to hit 'send' on this message... and then...)

Oh!  Yes, I do know how to handle it.  Okay, I'll add the
capability into an upcoming beta where we can test it.

Thanks,

Pm




More information about the pmwiki-users mailing list