[pmwiki-users] HandleAuth for action diag
nzskiwi at gmail.com
Thu Sep 4 03:17:59 CDT 2008
Yes, I see why that makes sense.Where I was coming from was wanting a
password that only applied to approved URLs, rather than giving (say) my
Admin password out.
I suppose I can change the password on the approved URLs page, but
this doesn't appeal to me as much as applying security to the action.
2008/9/4 Patrick R. Michaud <pmichaud at pobox.com>
> On Wed, Sep 03, 2008 at 10:37:37PM +1300, Simon wrote:
> > As a general principle I think all actions should check the normal
> > perhaps this is the problem I am having with ?action=approvesites
> As a "general principle" I agree -- but the very phrase
> "general principle" implies that there can be exceptions. :-)
> In the case of ?action=approvesites, it always uses the write
> permission of the page that will contain the url approvals.
> Very little else makes sense. One could, I suppose, want to
> add additional restrictions tied to the ?action=approvesites
> command, but a person with write permission to the url approvals
> page would still be able to change the approved urls without
> using ?action=approvesites .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pmwiki-users