[pmwiki-users] UserAuth2 and WikiCalendar problem

ThomasP pmwikidev at sigproc.de
Tue Jun 12 09:40:29 CDT 2007 

On Mon, June 11, 2007 20:47, IchBin wrote:
> ThomasP wrote:
>> On Tue, June 5, 2007 20:02, IchBin wrote:
>>> IchBin wrote:
>>>
>>> Not sure if I mentioned this Thomas but as an 'admin' user there is no
>>> security problem posting a formatted item to the WikiCalendar using the
>>> (:wikilogbox:) markup. Guess this would rule out any non normalized
>>> page
>>
>> This is indeed quite good to know!!!
>>
>>> url. The problem is only with a regular user even though they have a
>>> 'ed_Calendar.*' rule. I mean the format of the calendar days is
>>> 'Calendar.yyyymmdd'.
>>>
>>
>> I have tested that 'Calendar.20071111' matches 'Calendar.*' with the UA2
>> functions, so no problems from the pattern check to be expected. It
>> would
>> thus indeed be very interesting to know where the problem stems from.
>>
> ...
> 'Calendar.*' for rule 'ed_Calendar.*'. I think the rule is fine because
> if I do not use the (:wikilogbox:) markup to add or update a calendar
> date page I get no security error and works as designed..
>
> Doing this with out the (:wikilogbox:) markup you do:
>
> - Select a day on the visible calendar on the
> 'Calendar/Calendar' page. This opens or creates a calendar date page.
> - Enter my text and save on that page and there is no problem.
> - After this it displays on the visual calendar and by using the
> (:thisweek:) markup.
>
> If I take that rule out of this group I can not do what I just mentioned
> above. So the rule is fine there is a one-to-one relationship by having
> or not having that rule.

That is logical - so the rule itself and its interpretation by UA2 seems
not lacking.

> Seems that the problem is the interaction between the (:wikilogbox:) and
> UserAuth2.
>

Yes. To put a clear statement on this I would say:

If the UA2 module indeed denies Calendar/20071111 or whatever on level
edit though ed_Calendar.* is specified in a respective user perm record,
then it is a UA2 problem and I will find the solution. (Could
theoretically happen as part of variable interference. Is improbably
though - I just had a look in the WikiCalendar code, and nothing looks
suspicious.)

If however you get insufficient privileges with something else (for
example with a permission level that is not known to (not registered with)
UA2, much more probable from what I can see), then it is the
responsibility of WikiCalendar to make sure the right parameters are
delivered, or at least to set a default permission level mapping like

HandleAuth['wikilog'] = ...; // whatever is useful, for example 'edit'

[If you got a newer version of UA2, then activating the logging with
$HTMLFooterFmt[] (search for "PERM" in userauth2.php) will tell you what
exactly is blocked.]

Thomas

More information about the pmwiki-users mailing list