[pmwiki-users] security documentation for recipes

Patrick R. Michaud pmichaud at pobox.com
Wed Mar 5 11:13:08 CST 2008


On Wed, Mar 05, 2008 at 02:47:49PM +0100, Peter & Melodye Bowers wrote:
> Thanks, PM.  Very helpful.
> 
> > UpdatePage() does not check any authorizations -- it simply updates
> > the page.
> 
> > RetrieveAuthPage takes a number of parameters:
> > 
> >     $page = RetrieveAuthPage($pagename, $auth, $prompt, $since);
> > 
> >...
> 
> Would it be helpful for other developers (or is it just me?) to have a
> simple wrapper as the "official" way to write to a page?  Something like
> UpdateAuthPage() or something similar?  

Possibly, but there are a couple of issues that need to be resolved
first.  For example, presumably a call to UpdateAuthPage() would
look like

    UpdateAuthPage($pagename, $page);

where $pagename is name of the page to be updated, and $page is the
array of new attributes.  One question is whether the $page array
should _completely_ replace the existing array (as currently happens
for UpdatePage), or if it simply supplies the attributes to be
updated and leaves the remainder unchanged.

Also, what should UpdateAuthPage() do if the visitor doesn't
have authorization -- should it automatically prompt for a form,
Abort, return a false value to the caller, or... ?  (We could provide
a $prompt argument to UpdateAuthPage() as well.)

> On another note, does CondAuth() work as well (in place of the
> RetrieveAuthPage() call)?  Sometimes I read a page ("read" auth) and then in
> the process of working with it realize I need to update the page -- it seems
> a shame to re-read it to confirm "edit" auth...  

In general if you simply want to check authorization and don't care 
about the page contents, it's better to use CondAuth() instead of
RetrieveAuthPage(), just in case we modify the security model in the
future.  However, it's not any quicker, since CondAuth() itself uses
RetrieveAuthPage() to check the permissions.

Another way of checking that doesn't require an extra read beyond
the first is to check $page['=auth']['edit'], if non-zero, then
the visitor has 'edit' permission on the page.

> PS If CondAuth() does work then UpdateAuthPage() (if that's a good name)
> could be as simple as this:
> 
> function UpdateAuthPage(...)
> {
> 	return (CondAuth(...) && UpdatePage(...));
> }

Not really.  UpdatePage() requires both the current page and the updated
page, and we need to make sure the updated page merges in any attributes
of the existing page.  So it's probably something more like:

  function UpdateAuthPage($pagename, $new, $prompt) {
    global $IsPagePosted;
    $IsPagePosted = false;
    $page = RetrieveAuthPage($pagename, 'edit', $prompt);
    if ($page) {
      $new = array_merge($page, $new);
      UpdatePage($pagename, $page, $new);
    }
    return $IsPagePosted;
  }

Pm



More information about the pmwiki-users mailing list