PmWiki | Cookbook / RestrictActions

Summary: require admin privilege for most actions (if not defined otherwise).

Version: 1.5

Prerequisites: none

Status: stable

Maintainer: Sven

Categories: Security

Discussion: RestrictActions-Talk ?

Questions answered by this recipe

How can I protect my wiki from abuse of actions (?action=XYZ) that I didn't even know of?

Description

This recipe prevents all actions that are not configured to be allowed. (Some are allowed by default.)

How to Install

1. Download restrict_actions_v1.5.php Δ and save it in your cookbook directory.

2. Edit your local config file and set the permissions by adding lines like:

SDVA($RequiredPermissionLevels, array(
    'action1' => 'userlevel1',
    'action2' => 'userlevel2',
    ...
    'actionN' => 'userlevelN',
  ));

where the actions are the ?action= values you want to allow and the userlevels are either

native PmWiki privileges (read, edit, attr, ...),
"*" or
"-".

"*" means do not add any extra protection,

"-" means disable the action completely (even for users with admin privilege).

3. Below these permissions, write the usual include code:

require_once "$FarmD/cookbook/restrict_actions_vX.X.php";

where X.X is the version number. If you're using AuthUser, include that before you include restrict_actions.

Security and Privacy Reminder

By default, Restirct Actions changes forbidden actions to browse. If you want to deny even reading protected pages, find the two occurences of
$action = 'browse';
at the bottom of the receipe file and change them to
$action = 'login';

Comments

See Discussion at RestrictActions-Talk ?.

Releases

v1.5: Added special protection for "system" pages such as *.GroupHeader and *.GroupFooter
v1.1: Optimized default values for wikis with multiple editors
v1.0: Initial release

Reminders

If you want not just to view the attributes of a page (action=attr) but change them, please remember to allow the postattr action (disabled by default).

Contributors

Sven - original author

RestrictActions