[pmwiki-users] Bypassing the AuthUser
Patrick R. Michaud
pmichaud at pobox.com
Thu Apr 22 23:15:57 CDT 2010
On Thu, Apr 22, 2010 at 06:13:25PM -0400, DaveG wrote:
> On 4/22/2010 11:56 AM, V.Krishn wrote:
> >>I'm programming a new action handler. As far as I understand the thing,
> >>to read a page, I can use RetrieveAuthPage to enforce the access rights
> >>restrictions or ReadPage to bypass them.
> UpdatePage (and PostPage) both require the old and new versions of
> the page. The usual way to get the 'old' (current) version of the
> page is to call RetrieveAuthPage. As the developer you can choose
> how to call RetrieveAuthPage, thus essentially you can by-pass
> existing security by calling RetrieveAuthPage with the lowest
> authentication parameter ('read').
There's an even lower authentication level -- passing 'ALWAYS' as
the authorization level (instead of 'read', 'edit', etc.) will
cause RetrieveAuthPage to always read and return the page, even
if it happens to be protected by a read password.
More information about the pmwiki-users