[pmwiki-users] Bypassing the AuthUser

Patrick R. Michaud pmichaud at pobox.com
Thu Apr 22 23:15:57 CDT 2010


On Thu, Apr 22, 2010 at 06:13:25PM -0400, DaveG wrote:
> 
> 
> On 4/22/2010 11:56 AM, V.Krishn wrote:
> >>I'm programming a new action handler. As far as I understand the thing,
> >>to read a page, I can use RetrieveAuthPage to enforce the access rights
> >>restrictions or ReadPage to bypass them.
> UpdatePage (and PostPage) both require the old and new versions of
> the page. The usual way to get the 'old' (current) version of the
> page is to call RetrieveAuthPage. As the developer you can choose
> how to call RetrieveAuthPage, thus essentially you can by-pass
> existing security by calling RetrieveAuthPage with the lowest
> authentication parameter ('read').

There's an even lower authentication level -- passing 'ALWAYS' as
the authorization level (instead of 'read', 'edit', etc.) will
cause RetrieveAuthPage to always read and return the page, even
if it happens to be protected by a read password.

Pm



More information about the pmwiki-users mailing list