[pmwiki-users] Using $HandleAuth
design5 at softflow.co.uk
Sun Nov 11 10:28:39 CST 2007
I wrote in another post:
You may also want to protect access to page source viewing with:
$HandleAuth['source'] = 'edit';
But how can I protect other custom (recipe) actions which are
registered as $HandleActions['customaction'] = 'HandleCustomFunction'; ?
$HandleAuth['customaction'] = 'admin';
alone seems not enough. If I understand HandleDispatch() correctly,
then the $HandleAuth['customaction'] value is passed on via
HandleDispatch to the HandleCustomFunction, together with the
pagename, and it is up to HandleCustomFunction to do any appropriate
response if authorisation level is not suitable. Is this correct?
As an admin person it may have implications as I have to look into the
recipe code to see if there is a check on authorisation level, and
appropriate response, built in. For instance setting
$HandleAuth['comment'] = 'edit';
will not result in commentboxplus that a user can only post if she has
'edit' permission. $HandleAuth['comment'] is never checked.
This seems quite a burdon on the admin, if she wants to control
permissions on custom recipe actions.
As a recipe writer it has implications as I can make use of
HandleAuth['mycustomaction'] being set. For instance with fox.php
I would not have needed to introduce a $FoxAuth variable, which set
basic posting authorisation level, and just could have set
$HandleAuth['foxpost'] and then check inside the function against the
passed on $auth variable. Is this right?
More information about the pmwiki-users