Questions answered by this recipe
- How can I protect my wiki from abuse of actions (?action=XYZ) that I didn't even know of?
This recipe prevents all actions that are not configured to be allowed. (Some are allowed by default.)
How to Install
2. Edit your local config file and set the permissions by adding lines like:
SDVA($RequiredPermissionLevels, array( 'action1' => 'userlevel1', 'action2' => 'userlevel2', ... 'actionN' => 'userlevelN', ));
where the actions are the ?action= values you want to allow and the userlevels are either
- native PmWiki privileges (read, edit, attr, ...),
- "*" or
"*" means do not add any extra protection,
3. Below these permissions, write the usual include code:
where X.X is the version number. If you're using AuthUser, include that before you include restrict_actions.
Security and Privacy Reminder
Since v1.6, Restirct Actions is more paranoid by default, so it changes forbidden actions to login. (Before v1.6, it changed them to browse). If you want to allow reading protected pages, find the two occurences of
$action = 'login';
at the bottom of the receipe file and change them to
$action = 'browse';
See Discussion at RestrictActions-Talk.
- v1.6: now sets
$FmtPV['$RequestedAction'] to the (defused) original action
- v1.5: Added special protection for "system" pages such as *.GroupHeader and *.GroupFooter
- v1.1: Optimized default values for wikis with multiple editors
- v1.0: Initial release
- If you want not just to view the attributes of a page (action=attr) but change them, please remember to allow the postattr action (disabled by default).
- If you want to use PmWiki's upload mechanism, you'll have to allow not only the upload action but also postupload. (Thanks to EdBrannin for pointing this out.)
- Sven - original author