design5 at softflow.co.uk
Tue May 3 13:46:00 CDT 2011
Tuesday, May 3, 2011, 6:35:11 PM, Sandy wrote:
> If it is possible to see and (:include:) file which you don't have
> access to, and access was set properly, then it's a bug.
Peter's point was that page specific authorisations always need to be
set in the page, via action=attr, or in the groups GroupAttributes
page, via action=attr, never via conditionals in config.php.
All $DefaultPasswords items should be set in config.php only, and not
set with group or page specific conditionals, as these will not have
any effect for a page which is included via (:include ...:).
But an included page's (access-) attributes will be recognised and
So there is no bug. One just cannot do a shortcut of setting page or
group specific access authorisations in config.php or a Page or Group
php file. They need to be set in the page.
The spread of authorisation settings on multiple pages is unavoidable
in PmWiki's security model. AuthList just helps to see it in one
More information about the pmwiki-users