[pmwiki-users] delete GroupAttributes

Clemens Gruber cgruber at uni-osnabrueck.de
Tue Jun 13 17:04:26 CDT 2006


Hello,

is this a security hole or a missconfiguration on my side: I've set in 
local/config.php

## AuthUser, http://pmwiki.org/wiki/PmWiki/AuthUser
## and LDAP, http://www.pmwiki.org/wiki/Cookbook/AuthUser
include_once("$FarmD/scripts/authuser.php");
$DefaultPasswords['admin'] = 'id:myaccount';
# lock passwords, admin and upload passwords locked by default
$DefaultPasswords['attr'] = '*';
$DefaultPasswords['edit'] = '*';
$DefaultPasswords['read'] = '*';

Now I've definde a user-group in Site.AuthUser
@some-user: account1, account2

Next I set in Main.GroupAttributes?action=attr
read password: @some-user
edit password: @some-user

In this case I can't execute Main.GroupAttributes?action=attr as user 
"account1" - there are no rights set before - thats ok. But I can edit 
the page Main.GroupAttributes?action=edit and can delete this page by 
typing "delete" in the textarea?? Now all settings made in 
Main.GroupAttributes are reset. Any idea?

Clemens




















More information about the pmwiki-users mailing list