[pmwiki-users] AuthUser

Peter Bowers pbowers at pobox.com
Mon May 2 13:22:39 CDT 2011


On Mon, May 2, 2011 at 6:53 PM, Peter Bowers <pbowers at pobox.com> wrote:
> Just for another perspective I find that in situations like this I
> tend to be "FTP-administrator-oriented" and make changes like this in
> my config.php rather than doing them in the
> GroupAttributes?action=attr section.  I just find it hard to remember
> when I've got a complicated setup with config spread across multiple
> locations and it's easier for me when it's all in one place.  So I end
> up with something like this:
>
> ## Get the group and page name
> $pagename = ResolvePageName($pagename);
> #$page = PageVar($pagename, '$FullName'); // not needed for this example
> $group = PageVar($pagename, '$Group');
> #$name = PageVar($pagename, '$Name'); // not needed for this example
> ...
> $DefaultPasswords['edit'] = array('@editors'); // note the array(...)
> if (inlist($group, array('GroupA', 'GroupB', 'GroupC')))
>   $DefaultPasswords['edit'][] = '@friends';

Randy pointed out (below) a serious security hole that I've been
inadvertently leaving on my sites every since I started doing that
config.php-only type of password-setting that I suggested above.  If I
am viewing a group for which I have read permission I can then
(:include:) a page for which I do *not* have read permission.

Please do *not* use my suggestion for setting just $DefaultPasswords
in config.php.  It is not just that it is "not preferable" as I
thought but simply wrong.

-Peter

On Mon, May 2, 2011 at 7:49 PM, Randy Brown <alongkiss at aprivatespot.com> wrote:
> If I understand your configuration method correctly, it may have a security hole. You may want to fix the hole.
> After you've done that, we should update your suggestion on the mailing list with an explanation of the hole.
>
> The problem is that when you set $DefaultPasswords based on the group of a specific page, that authorization
> becomes the default authorization not just for the specific page you intended but for all pages that use the
> site-wide default.
...
> It would be nice if there were a way to set default permissions in config.php with the outcome that you intended,
> but I know of no mechanism.



More information about the pmwiki-users mailing list