On 1/7/06, <b class="gmail_sendername">H. Fox</b> <<a href="mailto:haganfox@users.sourceforge.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">haganfox@users.sourceforge.net</a>> wrote:<div>
<span class="q"><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On 1/6/06, Patrick R. Michaud <<a href="mailto:pmichaud@pobox.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">pmichaud@pobox.com</a>> wrote:<br>> On Fri, Jan 06, 2006 at 10:16:41AM -0600, Tegan Dowling wrote:
<br>[...]<br>> > If you want to keep $EnablePageListProtect=1; in your
config.php, I<br>> > believe you could create a local/Eberron.php file containing just<br>> ><br>> > <?php<br>> > $EnablePageListProtect = 0;<br>> ><br>> > Anyone: Any problem with this?
<br>><br>> Well, even if $EnablePageListProtect=0; in local/Eberron.php,<br>> it's possible for someone to use that to see the existence of pages<br>> in all groups. Essentially someone can then do:<br>><br>
> .../pmwiki.php/Eberron/RecentChanges?action=rss&trail=Site.AllRecentChanges<br>><br>> to get a list of all pages, including password-protected ones.<br>><br>> Why? Well, specifying Eberron/RecentChanges causes the
Eberron.php<br>> to be loaded (thus turning off $EnablePageListProtect), and then<br>> the ?action=rss command is told to read pages from Site.AllRecentChanges.<br>><br>> Almost all variables that have to do with read-protecting pages
<br>> must be set in the site-wide configuration file to be effective;<br>> placing them in per-group configuration files means they can be<br>> bypassed simply by referencing a page from a different group.<br><br>
Would there be any advantage to doing this, either in config.php or<br>e.g. Eberron.php?:<br><br>if ($action == 'rss') { $EnablePageListProtect = 0; }</blockquote></span><div><br>
Anyone have an answer for HF's question?<br>
</div></div>