[pmwiki-users] Drafts, moderated wikis, and PITS 00755

Patrick R. Michaud pmichaud at pobox.com
Sat Mar 31 10:06:00 CDT 2007


On Sat, Mar 31, 2007 at 01:00:25AM -0400, Scott Connard wrote:
> On Mar 30, 2007, at 11:14 PM, Patrick R. Michaud wrote:
> 
> >On Fri, Mar 30, 2007 at 10:32:21PM -0400, Scott Connard wrote:
> >
> >>4. Pm: Are you considering a Publish password so that publishers are
> >>given special permissions via a password attr (including id and
> >>groups in AuthUser)?
> >
> >I can see two approaches, both with positives and negatives.  One is
> >to introduce a "publish" password to pages (which defaults to the
> >"edit" password when not otherwise set).  This has the advantage of
> >being consistent, but part of me doesn't like introducing yet another
> >layer of passwords -- we have quite a bit there already.
> 
> This is what I did with my use of Draft pages. The only place I used  
> the publish authorization was in the Site.EditForm (or the group with  
> $EnableDrafts turned on) to determine which buttons to display and  
> what names to use.  The edit permission remained in control of  
> everything else.

Unfortunately, hiding the buttons isn't really sufficient protection
in the general case, since someone could always spoof their own form
to send the "publish"  (post=1) command.  PmWiki has to check for
permission to publish at the time the form is submitted, not just
when the form is displayed.

> >Or, we could go the other way and claim that "edit" privileges are  
> >needed > >to publish, while "draft" privileges only allow 
> >creating/editing a draft but not publishing. [...]
> >Otherwise we have the case where 'edit' passwords mean "able to draft
> >but not change original" in one group and "able to change original" in
> >others.
> 
> I hear your concern, but the fact that people without edit permission  
> can click the Edit button seems more difficult to integrate into  
> existing wikis.

Another excellent point, but I'm not so sure it's an issue.  In
this case, an author that hits the 'Edit' button but doesn't have
'edit' (publish) permission would get an Edit form with the
Publish button disabled.  So, the author can still edit/save drafts,
they just can't publish.

It would mean that any site that is using (:if auth edit:) to
selectively display edit links might want to switch to
(:if auth draft:) instead.

> >[...]  When the draft is published, all of the
> >changes to the original appear as a single entry in the original's  
> >page history.
> 
> I'm confused here because I did a test before I wrote my original  
> comments and it seems like the draft history IS kept when it is  
> finally published to update the original document.  Unless you are  
> planning on changing it.  

Oh.  Perhaps I'm misremembering this.  At any rate, whatever it's
doing now is what I plan for it to do in the future.  :-)

Thanks again!

Pm




More information about the pmwiki-users mailing list