<div dir="ltr">Yes, I see why that makes sense.<div>Where I was coming from was wanting a password that only applied to approved URLs, rather than giving (say) my Admin password out.</div><div><br></div><div>I suppose I can change the password on the approved URLs page, but this doesn't appeal to me as much as applying security to the action.</div>
<div><br></div><div>thanks</div><div><br></div><div>Simon<br><br><div class="gmail_quote">2008/9/4 Patrick R. Michaud <span dir="ltr"><<a href="mailto:pmichaud@pobox.com">pmichaud@pobox.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">On Wed, Sep 03, 2008 at 10:37:37PM +1300, Simon wrote:<br>
> As a general principle I think all actions should check the normal mechanism,<br>
> perhaps this is the problem I am having with ?action=approvesites<br>
<br>
</div>As a "general principle" I agree -- but the very phrase<br>
"general principle" implies that there can be exceptions. :-)<br>
<br>
In the case of ?action=approvesites, it always uses the write<br>
permission of the page that will contain the url approvals.<br>
Very little else makes sense. One could, I suppose, want to<br>
add additional restrictions tied to the ?action=approvesites<br>
command, but a person with write permission to the url approvals<br>
page would still be able to change the approved urls without<br>
using ?action=approvesites .<br>
<font color="#888888"><br>
Pm<br>
</font></blockquote></div><br><br clear="all"><br>-- <br><br><a href="http://kiwiwiki.co.nz">http://kiwiwiki.co.nz</a><br>
</div></div>