[pmwiki-users] modifying wikish renaming pages/groups scripts to update links with spaces

Alex Eftimiades alexeftimiades at gmail.com
Sat Jul 28 03:25:27 CDT 2012


I should have emailed this, but the updated solution I have so far is  
to limit edit access to the group WikiSh to administrators, and limit  
view access to editors. I added this in my config.php (near the end):

#wikish
include_once("$FarmD/cookbook/toolbox.php");
include_once("$FarmD/cookbook/WikiSh.php");
if ($group == 'WikiSh' && CondAuth($pagename,'admin'))
    include_once("$FarmD/cookbook/WikiShCL.php");
include_once("$FarmD/cookbook/SecLayer.php"); // note this includes  
stdconfig.php
$EnableWikiShWritePage = true;
$EnableWikiShCreatePage = true;
$EnableWikiShOverwritePage = true;
$EnableWikiShRemove = true;
if ($group=='WikiSh'){
   if ($pagename=='WikiSh.Rename'){
     if(CondAuth($_GET["OldPage"], 'edit') &&  
CondAuth($_GET["NewPage"], 'edit')){
       slAddAuth($wshAuthPage, "*.*",  
"read,create,insert,overwrite,append,prepend,attr,delete");
     }
     else{
       slAddAuth($wshAuthPage, "*.*", "read");
     }
   }
   else{
     slAddAuth($wshAuthPage, "*.*",  
"read,create,insert,overwrite,append,prepend,attr,delete");
   }
}
else{
  slAddAuth($wshAuthPage, "*.*", "read");
}
# cookbook/powertools.php is *very* helpful in the wikish environment  
but is optional.
# If you decide to install it you will need to go that page and  
download it and install
# it as follows:
include_once("$FarmD/cookbook/powertools.php");
#end wikish

This is all to avoid renaming links if someone is not authorized to  
edit either the old page or the new page. Only admins have permission  
to edit anything in the WikiSh group, but editors are allowed to view  
pages in the WikiSh group (thus being able to make use of the scripts  
provided for them.) So essentially, only admins are allowed to create  
WikiSh scripts, but editors are allowed to use them by viewing the  
pages they create.

Alex

PS: I will consider putting this on the cookbook examples page as it  
took quite a bit of work get working, however it seems oddly specific  
a particular set of needs.


On Jul 27, 2012, at 6:52 PM, Peter Bowers wrote:

> On Wed, Jul 25, 2012 at 12:32 AM, Alex Eftimiades
> <alexeftimiades at gmail.com> wrote:
>> if (CondAuth($pagename, "admin")) {
>>   slAddAuth($wshAuthPage, "*.*",  
>> "read,create,insert,overwrite,append,prepend,attr,delete");
>>   $EnableWikiShDeletePage = true;
>>   $EnableWikiShChmod = true;
> ...
>> I tried modifying the CondAuth line with an "or $group=='WikiSh'" for
>> starters, but that did not seem to make a difference. I am quite  
>> confused as
>> to how to go about doing this.
>
> You wouldn't want to give this much permission to anybody accessing
> any page in the WikiSh group unless you have a very (!) trusted group
> of editors.  Some malicious person could, for instance, go to
> WikiSh.ControlPanel and execute a command like "rm *.*", thus deleting
> your entire wiki.  Of course you could go in behind the scenes and
> undelete them, but it would probably be a Very Bad Day...  WikiSh is a
> sharp tool which has the potential to cut the user if you're not very
> careful...
>
> However, as long as you make sure only very trusted individuals have
> edit capability on the WikiSh.Rename page (like if it is locked to the
> admin password) then you could give the permissions needed just when
> someone was doing the (pre-approved, unchangeable) script on that
> page:
>
>> if (CondAuth($pagename, "admin") || (CondAuth($pagename, "edit") &&  
>> $pagename == 'WikiSh.Rename')) {
>
> (Note that if your $pagename has not been resolved yet then it could
> look like WikiSh/Rename or something (note the slash instead of the
> period), but resolving $pagename (ResolvePageName) sets some cache
> values which should probably be done very close to the end of the
> config.php.  Note Petko's advice in
> http://www.pmichaud.com/pipermail/pmwiki-devel/2009-April/001613.html.
> It's documented somewhere else in more detail, but this is the link I
> found first and it should suffice)
>
> You've done a nice job of implementing the rename form.  Feel free to
> document your solution in the WikiShExamples if you like.
>
> Do be aware that if someone has set a per-page or per-group password
> somewhere such that the current user does not have edit permissions
> then WikiSh will *not* do the text substitution to fix the links on
> that page.  WikiSh *always* honors pmwiki authorizations according to
> the level of the current user. [1]  I'm assuming in your case most
> people are using a single edit password and so that doesn't cause
> problems, but I just mention it to be clear...
>
> -Peter
>
> [1] You can override this, but it's been made difficult to do
> intentionally because you should almost never do this.




More information about the pmwiki-users mailing list