[pmwiki-users] Bypassing the AuthUser

Pierre Reinbold pierre.reinbold at uclouvain.be
Fri Apr 23 01:39:54 CDT 2010

Hash: SHA1

Patrick R. Michaud wrote:
> On Thu, Apr 22, 2010 at 06:13:25PM -0400, DaveG wrote:
>> On 4/22/2010 11:56 AM, V.Krishn wrote:
>>>> I'm programming a new action handler. As far as I understand the thing,
>>>> to read a page, I can use RetrieveAuthPage to enforce the access rights
>>>> restrictions or ReadPage to bypass them.
>> UpdatePage (and PostPage) both require the old and new versions of
>> the page. The usual way to get the 'old' (current) version of the
>> page is to call RetrieveAuthPage. As the developer you can choose
>> how to call RetrieveAuthPage, thus essentially you can by-pass
>> existing security by calling RetrieveAuthPage with the lowest
>> authentication parameter ('read').
> There's an even lower authentication level -- passing 'ALWAYS' as
> the authorization level (instead of 'read', 'edit', etc.) will
> cause RetrieveAuthPage to always read and return the page, even
> if it happens to be protected by a read password.

Whoaw ! Thank you all for your replies ! It is greatly informative !

With all this, I should be able to read the pages I want. Thanks again !

But I also need to write on a read protected page (located in SiteAdmin
for example). As I said, using UpdatePage does work when I'm connected
as administrator but not as an anonymous visitor. To make it work, I use
WritePage but, as V. Krishn pointed, it does not maintain revision
history (and presumably also a bunch of other things). Is their a better
way to bypass the write protection ? Maybe getting a page with
RetreiveAuthPage using $auth='ALWAYS' allows also to write to it
automagically? (just a wild guess)

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the pmwiki-users mailing list