RestrictActions

Summary: require admin privilege for most actions (if not defined otherwise).
Version: 1.5
Prerequisites: none
Status: stable
Maintainer: Sven
Categories: Security

Questions answered by this recipe

  • How can I protect my wiki from abuse of actions (?action=XYZ) that I didn't even know of?

Description

This recipe prevents all actions that are not configured to be allowed. (Some are allowed by default.)

How to Install

1. Download restrict_actions_v1.6.phpΔ and save it in your cookbook directory.

2. Edit your local config file and set the permissions by adding lines like:

SDVA($RequiredPermissionLevels, array(
    'action1' => 'userlevel1',
    'action2' => 'userlevel2',
    ...
    'actionN' => 'userlevelN',
  ));

where the actions are the ?action= values you want to allow and the userlevels are either

  • native PmWiki privileges (read, edit, attr, ...),
  • "*" or
  • "-".

"*" means do not add any extra protection,

"-" means disable the action completely (even for users with admin privilege).

3. Below these permissions, write the usual include code:

require_once "$FarmD/cookbook/restrict_actions_vX.X.php";

where X.X is the version number. If you're using AuthUser, include that before you include restrict_actions.

Security and Privacy Reminder

Since v1.6, Restirct Actions is more paranoid by default, so it changes forbidden actions to login. (Before v1.6, it changed them to browse). If you want to allow reading protected pages, find the two occurences of
$action = 'login';
at the bottom of the receipe file and change them to
$action = 'browse';

Comments

See Discussion at RestrictActions-Talk.

Releases

  • v1.6: now sets $FmtPV['$RequestedAction'] to the (defused) original action
  • v1.5: Added special protection for "system" pages such as *.GroupHeader and *.GroupFooter
  • v1.1: Optimized default values for wikis with multiple editors
  • v1.0: Initial release

Pitfalls

  • If you want not just to view the attributes of a page (action=attr) but change them, please remember to allow the postattr action (disabled by default).
  • If you want to use PmWiki's upload mechanism, you'll have to allow not only the upload action but also postupload. (Thanks to EdBrannin for pointing this out.)

See Also

Contributors

  • Sven - original author

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.