[pmwiki-users] parameters to a handler function

Petko Yotov 5ko at 5ko.fr
Tue Jul 5 01:49:51 CDT 2016


The second argument is the authorization level the user must have to 
access your function, but you need to verify this yourself!

The argument will be passed to your function: it is taken from the 
$HandleAuth array, or from the default arguments of the function. Your 
function must call RetrieveAuthPage() if it requires a certain level of 
authentication; that second argument can allow wiki admins to override 
your default level of authentication, if they need to, and if you use 
it. (If you decide they don't need to change the level, don't use that 
argument.)

I invite you to review some simple core functions like HandleSource() or 
HandleAttr() or HandlePostAttr() in pmwiki.php.

For example: by default ?action=source requires read permissions:

   function HandleSource($pagename, $auth = 'read') {
     # ...
     $page = RetrieveAuthPage($pagename, $auth, true, READPAGE_CURRENT);
     if (!$page) Abort("?cannot source $pagename");
     #...
   }

If an admin sets in config.php $HandleAuth['source'] = 'edit'; then 
HandleSource() will be called with a second argument 'edit' not 'read'.

The key to your page is RetrieveAuthPage() which is documented here:

   http://www.pmwiki.org/wiki/PmWiki/Functions#RetrieveAuthPage

Notably, if the user has no $auth permissions to access the page, the 
login form will appear to allow her to type her password (if the third 
argument is true, or is missing). If the third argument is false, and 
the user has no permissions to $auth the page, the login form will not 
appear and the $page variable will be false - so you can deal with it.

See also the note about READPAGE_CURRENT in the Functions page.
* If you don't modify the page AND don't need the page history, use 
READPAGE_CURRENT, it is faster. Like  HandleSource() or HandleAttr() do.

* If you do modify the page OR you need the history, you must not use 
READPAGE_CURRENT or you'll lose all history. Like HandlePostAttr() does.

Hope that helps.

Petko

---
Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades


On 2016-07-05 01:35, Peter Kay wrote:
> There appear to be two parameters passed to a handler set up via
> $HandleActions['...'].  The first is the $pagename.  The second, which 
> not
> everyone uses, is $auth.  The CustomActions page doesn't make it 
> totally
> clear what $auth is - is it the authorization level the user already 
> has?
> Is it $HandleAuth['myaction']?



More information about the pmwiki-users mailing list