[pmwiki-users] spam despite edit restriction

The Editor editor at fast.st
Sun Nov 26 10:59:12 CST 2006


On 11/26/06, Hans <design5 at softflow.co.uk> wrote:
> Sunday, November 26, 2006, 1:14:02 PM, Florian wrote:
>
> > These pages are all empty. Apart from that the pages all belong into a
> > certain group (Review). Note that's the group I use in combination with
> > the newpageboxplus recipe to simplify page creation.
>
> Most likely this is cause by an exploitation of newpageboxplus
> capability to save automatically a new page.
>
> I would be very interested to know of a good way to include checking
> of edit authorisation into the script.
>
> Meanwhile, if you don't use the save=true option, just disable it in
> the script by commenting in var $defaults
> 'save' => '',
>
> ie replace
>    'save' => '');
> with
> #    'save' => ''
> );
>
> Maybe I need to include a variable SDV($EnableAutoSave, false);
> as default, to disable the auto saving option, and let admins decide
> when they need to enable it. It is useful for simple forum for
> example, as a way to create new topic pages, even by users who have no
> edit rights granted. But obviously spammers could exploit this, as
> they can on any open forum. Ideas?


One way around this is to have some kind of authorization built into
the recipe that verifies the form submission is authentic. If you are
interested in using zap's approach I could point you to the
appropriate lines of code.  It works pretty nice and could be
transported to your recipe. Basically it causes forged headers to be
ignored.

I do have a function that checks the submitters auth level and can be
set to check the submitter has edit privileges, but that doesn't solve
the problem I think you mentioned, of things like forums, etc, where
people might be posting who cannot edit.  Also, I suspect you already
have that built in to your recipe.

Cheers,
Caveman




More information about the pmwiki-users mailing list