[pmwiki-users] UserAuth2 and WikiCalendar problem

ThomasP pmwikidev at sigproc.de
Mon Jun 11 10:27:43 CDT 2007


Hello,

I have been away for a while - hope this comes still in time.

On Sat, June 2, 2007 18:54, IchBin wrote:
> ThomasP wrote:
>> On Thu, May 31, 2007 02:12, IchBin wrote:
>>> IchBin wrote:
>>>> I am fooling around with WikiCalendar since I can not get any response
>>>> from the author of Logbook. It is not working, for me, but then that
>>>> is
>>>> another post I posted here and to his personal email address.
>>>>
>>>> Anyway, a user with UserAuth2 security of read\write "ed_Calendar.*"
>>>> access has no problem editing a day when picking it from the visual
>>>> calendar.
>>>>
>>>> There is a problem when they use the "Story form markup
>>>> (:wikilogbox:)"
>>>> to post to the calendar. The error looks like this for say adding a
>>>> story on 05/29/2007:
>>>>
>>>> Calendar /
>>>> 20070529
>>>> Insufficient privileges to perform action
>>>>
>>>> The files are kept on disk in this format: 'Calendar.YYYYMMDD'. So
>>>> this
>>>> page would be: Calendar.20070529. It does not seem to matter if the
>>>> Calendar.date exists or needs to be created. I just get the security
>>>> error.
>>>>
>>>> The current calendar files I have are:
>>>> Calendar.Calendar
>>>> Calendar.GroupHeader
>>>> Calendar.RecentChanges
>>>> Calendar.20070528
>>>> Calendar.20070530
>>>> Calendar.20070530
>>>>
>>>> Just a quick idea: I guess there must be an intermediary file that
>>>> does
>>>> not conform to the Calendar naming convention that is
>>>> created\destroyed
>>>> (temp file) in the process of posting a 'Story message' to the
>>>> calendar.
>>>>   I'll take a peek.
>>>>
>>> Looking at the logic in UserAuth2.php in function
>>> TryAccessingPage($pagename, $level) It is passing this:
>>>
>>> $pagename = Calendar/20070429
>>> $level = edit
>>>
>>> But get caught on this:
>>>
>>> if ($UserInstanceVars->isAuthenticated())
>>>
>>> even though I set the security rule for the user to: 'ed_*.*' and I am
>>> signed in... Should be OK.
>>>
>>
>> The auth module will always expect normalized pagenames, i.e. of the
>> form
>>
>> Group.Page
>>
>> As it will be difficult pmwiki wide to make this sure, it is probably
>> easier if you add the line
>>
>> str_replace('/', '.', $pagename)
>>
>> as first line in the UserAuth2() function. This will resolve at least
>> the
>> above problem.
>>
>> Thomas
>>

It seems the problem lies deeper than I initially had hoped. In any case
the str_repl line will do no damage.

If you are indeed "getting caught" (i.e. getting permissions denied?) by
the if-authenticated line you quoted, then try a

global $HTMLFooterFmt;
$HTMLFooterFmt[] = "-" . $_SESSION['username'] . "-<br>";

before that if-statement, which should print out your logged-in username.
If this is empty then, ... well, you know, session problems.

If this was not the problem, activate the displaying of the permission
results (search for "PERM" in userauth2.php) and let's see what is
actually denied.

Thomas






More information about the pmwiki-users mailing list