[pmwiki-users] delete GroupAttributes
Patrick R. Michaud
pmichaud at pobox.com
Thu Jun 15 09:21:58 CDT 2006
On Wed, Jun 14, 2006 at 12:04:26AM +0200, Clemens Gruber wrote:
> Hello,
>
> is this a security hole or a missconfiguration on my side: I've set in
> local/config.php
> [...]
> In this case I can't execute Main.GroupAttributes?action=attr as user
> "account1" - there are no rights set before - thats ok. But I can edit
> the page Main.GroupAttributes?action=edit and can delete this page by
> typing "delete" in the textarea?? Now all settings made in
> Main.GroupAttributes are reset. Any idea?
It's a known bug -- http://www.pmwiki.org/wiki/PITS/00238 .
I'm still not entirely certain how I want to fix that.
On the other hand, you're the first person to ever stumble
across it (and that PITS entry was made eighteen months ago,
I added it as a placeholder because I knew the bug was there. :-)
I may be able to come up with a simple fix that requires attr
permission in order to actually delete a page.
Pm
More information about the pmwiki-users
mailing list