[pmwiki-users] RSS Feed + Read Protected Groups

Tegan Dowling tmdowling at gmail.com
Mon Jan 9 13:33:50 CST 2006


On 1/7/06, H. Fox <haganfox at users.sourceforge.net> wrote:
>
> On 1/6/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > On Fri, Jan 06, 2006 at 10:16:41AM -0600, Tegan Dowling wrote:
> [...]
> > >    If you want to keep $EnablePageListProtect=1; in your config.php, I
> > >    believe you could create a local/Eberron.php file containing just
> > >
> > >    <?php
> > >        $EnablePageListProtect = 0;
> > >
> > >    Anyone:  Any problem with this?
> >
> > Well, even if $EnablePageListProtect=0; in local/Eberron.php,
> > it's possible for someone to use that to see the existence of pages
> > in all groups.  Essentially someone can then do:
> >
> >   .../pmwiki.php/Eberron/RecentChanges?action=rss&trail=
> Site.AllRecentChanges
> >
> > to get a list of all pages, including password-protected ones.
> >
> > Why?  Well, specifying Eberron/RecentChanges causes the Eberron.php
> > to be loaded (thus turning off $EnablePageListProtect), and then
> > the ?action=rss command is told to read pages from Site.AllRecentChanges
> .
> >
> > Almost all variables that have to do with read-protecting pages
> > must be set in the site-wide configuration file to be effective;
> > placing them in per-group configuration files means they can be
> > bypassed simply by referencing a page from a different group.
>
> Would there be any advantage to doing this, either in config.php or
> e.g. Eberron.php?:
>
> if ($action == 'rss') { $EnablePageListProtect = 0; }


Anyone have an answer for HF's question?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20060109/08aaa2fd/attachment.html 


More information about the pmwiki-users mailing list