[pmwiki-users] brain storming form posting and control

Patrick R. Michaud pmichaud at pobox.com
Sat Apr 21 08:32:24 CDT 2007


On Sat, Apr 21, 2007 at 09:31:05AM +0100, Hans wrote:
> 4. But we would like to allow posting in a limited manner sometimes,
> for instance for users to insert comments in pages for which they have
> no edit or perhaps even no read access.
> 
> 5. This cannot be controlled inside the form, but has to be controlled
> by the target page. So the target page needs to carry an attribute
> saying "I am allowed to be posted to, in  a limited manner, even though
> I may not be allowed to be edited". We called it previously a
> 'comment' attribute, to go alongside 'read', 'edit', etc.

I decided yesterday that forms-handling system is going to handle this
by looking for specific strings on the target page that allow it.
It will also be possible to indicate the types of allowed postings,
and to delegate the authority to other locations based on the
target page's name.

(If this doesn't make sense to anyone -- don't worry, it will.)

> 7. But perhaps this is okay, as the author/form designer has edit
> permission to do so, and should avoid to construct forms which may
> provide too much editing powers to users for posting to target pages,
> to which they are allowed to post, controlled by the 'comment' attribute.
> In other words: We can leave it up to the form author to decide which
> is an appropriate 'limited manner' for a 'comment' auth level of page
> edits.

One has to be careful with this reasoning; anyone who has 
write permission to a page can potentially be a form author.

Pm



More information about the pmwiki-users mailing list