[pmwiki-users] Q:ZAP setting attr

The Editor editor at fast.st
Tue Apr 3 08:40:28 CDT 2007


On 4/3/07, Hans <design5 at softflow.co.uk> wrote:
> Tuesday, April 3, 2007, 11:37:38 AM, The wrote:
>
> > Basically you do
>
> > (:zap attr="Group.Name|passwdedit|id:Jiri":)
>
> > If page doesn't exist, it creates it. As with many ZAP functions, this
> > is quite powerful, because you can reset anything, including text or
> > ctime, or whatever.
>
> Powerful perhaps, but the security implication do scare me:
> you can reset any password on any page, totally disregarding the
> page's security setting. Not only that, but you can change any, reset,
> erase any of any page's attributes, including the page content and the
> page history itself.
>
> I start to think when you use the word "powerful" it may mean "high
> security risk".


Ahh, perhaps you are right Hans.  Maybe I just posted too quick...
Though I don't believe the history could be deleted so easily...
Anyway, here's a couple possible fixes:

1) Since ZAP already has other (better) options for editing page text,
I should exclude that possibility, period.

2) Set it so it only works if the user has attr permissions for the
target page.  This would make it no less secure than PmWiki otherwise.
ie: you'd have to leave that group open by default or no changes would
take place.

3) Not sure it should be able to override ZAP passwords permissions.
Though not sure what the risks to that would be...

4) Perhaps allowing title changes should be more automatic.  Or even a
separate extension command though I prefer fewer functions with more
power...

What do you think of these ideas?

Cheers,
Dan

PS.  Note:  no one can create a zap form without edit permissions, and
from the beginning I've stated ZAP is not for open edited
wiki's--unless permissions are carefully controlled (either by only
enabling ZAP where needed or by ZAP passwords on regular attr pages.

Also, though I don't know many have taken me up on it, ZAP extend is
more like a toolbox.  Any of the functions in it can be cut out and
pasted to a config to just enable that one function where needed.
Unless you are running a controlled CMS (like I do) you probably would
never want to  ZAPextend enabled everywhere.  Just a reminder to ZAP
users.

Once you take a look at the extension examples, one sees how easy it
is to create custom zap extensions.  I'd also hoped others would
contribute some of these...



More information about the pmwiki-users mailing list