[pmwiki-users] security documentation for recipes

Peter & Melodye Bowers pbowers at pobox.com
Mon Mar 10 11:00:03 CDT 2008


> > Basically I'm not thinking UpdateAuthPage() would be used any
> > different from UpdatePage() (i.e., still has the $oldpage 
> parameter) other
> > than making sure that authorizations were correctly respected - an
> > "authorized API", if you will, to the world outside core...
> 
> Ah, if that's the case, then a separate function isn't really 
> needed --
> it can just be a test added to the existing $EditFunctions array.  For
> example:
> 
>   function PostRequiresEdit($pagename, &$old, &$new) {
>     global $EnablePost;
>     if (!@$old['=auth']['edit']) $EnablePost = false;
>   }
>   array_unshift($EditFunctions, 'PostRequiresEdit');

That sounds great to me.  I'll include this code or similar in my recipe for
now (renaming function to avoid future collisions).  My recommendation would
be to put something like this in the core to enforce proper use of auth, but
that's for others to decide...

Thanks for your patience and help.

-Peter




More information about the pmwiki-users mailing list