[pmwiki-users] delete GroupAttributes
Clemens Gruber
cgruber at uni-osnabrueck.de
Tue Jun 13 17:04:26 CDT 2006
Hello,
is this a security hole or a missconfiguration on my side: I've set in
local/config.php
## AuthUser, http://pmwiki.org/wiki/PmWiki/AuthUser
## and LDAP, http://www.pmwiki.org/wiki/Cookbook/AuthUser
include_once("$FarmD/scripts/authuser.php");
$DefaultPasswords['admin'] = 'id:myaccount';
# lock passwords, admin and upload passwords locked by default
$DefaultPasswords['attr'] = '*';
$DefaultPasswords['edit'] = '*';
$DefaultPasswords['read'] = '*';
Now I've definde a user-group in Site.AuthUser
@some-user: account1, account2
Next I set in Main.GroupAttributes?action=attr
read password: @some-user
edit password: @some-user
In this case I can't execute Main.GroupAttributes?action=attr as user
"account1" - there are no rights set before - thats ok. But I can edit
the page Main.GroupAttributes?action=edit and can delete this page by
typing "delete" in the textarea?? Now all settings made in
Main.GroupAttributes are reset. Any idea?
Clemens
More information about the pmwiki-users
mailing list