[pmwiki-users] Request for changing the default upload policy
H. Fox
haganfox at users.sourceforge.net
Wed Dec 21 14:39:07 CST 2005
On 12/21/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Wed, Dec 21, 2005 at 12:08:17PM -0600, Patrick R. Michaud wrote:
> > Your points about the security implications of read-protected pages
> > and attachments are quite valid, but I'm not sure that it's enough
> > to warrant changing the default setting. In my experience most
> > places that have read-protection do so on entire groups or the entire
> > site and not individual pages (but I could be wrong about this also).
>
> On the other hand, perhaps we could/should add an $EnableMaxSecurity=1;
> to config.php that makes most of these and other security-related
> settings the default, to change PmWiki's default permissiveness?
This is a fantastic idea.
> That is, with $EnableMaxSecurity enabled, editing would be locked by
> default,
Yet another reason Site.SideBar should be able to honor the sitewide
edit password.
> uploads would default to per-page instead of per-group,
> $EnableDirectDownload would be set to zero, etc. (Can anyone
> think of any others...?)
How about limiting some actions, such as ?action=diff and
?action=source, unless the visitor has edit permissions?
?action=diff should be limited for obvious reasons. Limiting
?action=source would keep unauthorized visitors from seeing something
like
(:if ! auth edit:)
Ha! Those poor slobs will never see this!
(:if)
In the Light Skin I've gone to a "deny-unless-permitted" policy.
if ($CMS_mode == TRUE
&& @$page['=auth']['edit'] == FALSE) {
$Actions_allowed = array('browse','print','search','edit',
'login', 'loginadmin','loginupload','rss', 'atom');
}
Hagan
More information about the pmwiki-users
mailing list