PITS /

01213: PageVar() should respect authentications

Summary: PageVar() should respect authentications

Created: 2010-07-28 03:58

Status: Closed - fixed for 2.2.24

Category: CoreCandidate

From: Petko

Assigned:

Priority: 4

Version: all

OS:

Description: Discussion with Eemeli Aro on the mailing list:

http://www.pmichaud.com/pipermail/pmwiki-users/2010-July/057758.html

PageVar() should use RetrieveAuthPage() instead of ReadPage() to get the page. $PCache checks need to be reviewed.

Testing PageVars from Test.LockedPage. To see the PVs, login (the password is quick) and to hide them, logout.

 Title: "LockedPage"
 Titlespaced: "Locked Page"
 LastModifiedSummary: ""
 LastModifiedBy: ""
 LastModifiedHost: ""
 LastModified: "November 20, 2024, at 06:21 AM"
 LastModifiedTime: ""
 Description: ""
 PasswdRead: "****"
 PasswdEdit: "****"
 PasswdAttr: "@lock"

Those should always be visible:

 PageUrl: "$ScriptUrl/Test/LockedPage"
 FullName: "Test.LockedPage"
 Namespaced: "Locked Page"
 SiteGroup: "Site"
 VersionNum: "2003038"
 DefaultGroup: "PmWiki"
 DefaultName: "HomePage"
 Action: "browse"
 BaseName: "Test.LockedPage"
 Author: "" (YOU, not the author of LockedPage)

The local/PITS.01213.php file (or config.php) replaces $page with $authpage in the sensitive PageVariables with the following snippet:

foreach($FmtPV as $k=>$v) {
  if(preg_match('/^\\$(Title(spaced)?|LastModified(By|Host|Summary|Time)?|Description)$/', $k))
    $FmtPV[$k] = str_replace('$page', '$authpage', $v);
}