[pmwiki-users] self-registering for notification emails

Américo Albuquerque aalbuquerque at lanowar.sytes.net
Mon Jun 5 10:58:17 CDT 2006


----- Original Message -----
Subject: Re: [pmwiki-users] self-registering for notification emails
Date: Mon, 5 Jun 2006 09:11:24 -0500
From: "Ben Wilson"

 > For what it's worth, I am beginning to take a different approach to
 > the same thing. When you use (:if:) conditionals to conceal text,
 > remember that if a user can ?action=source, then the concealed text is
 > available.
As other said, one can protect action=source just for those who can also 
write. The same can be said about action=diff

 >
 > What I've done for administrative pages is put them in a separate
 > page, password protect that page, then include it in the original
 >
Unfortunately that won't work on the Site.AuthUser page (I've tested 
it). The script reads the page as it is, before any markup is resolved. 
That means that only users set on the Site.AuthUser page will be allowed 
to login. Users on the include page are not recognized as valid users

 > page. For example, I used to have an "editor's" sidebar and a sidebar
 > for unauthenticated users. In the old days I used the (:if:) approach.
 > Now, I have Site.Sidebar and Site.EditSidebar. To get the latter page
 > into the former I (:include Site.EditSidebar:) So, in your case, you
 >
That works because Site.Sidebar is to be displayed, not red by a script

 > may consider substituting the part in Site.AuthUser that is for
 > administrators only with a separate page. I admit, though, that
 > Site.AuthUser is not a page I would allow anybody other than admins to
 > view--I'd use some other page for them.
 >
Exactly :)

 > Since I have certain key administrative pages (e.g. Site.EditSidebar)
 > that belong in specific places, I went ahead and put the reference to
 > them in the Skin template. This way, even sourcing the Edit.SideBar
 > does not indicate there's a significant administration page there.
 >
That is not a real protection. Anyone can see the source via browser and 
see where the admin pages are. It's better to use the (:include:) 
version and have the special page protected by other means (like having 
a password to view, or belonging to a particular group to view, etc)

Americo Albuquerque






More information about the pmwiki-users mailing list