[ewiki] Re: create action, action-links flaw
- From: Mario Salzer <mario@xxxxxxxxxxxxx>
- To: ewiki@xxxxxxxxxxxxx
- Date: Wed, 24 Mar 2004 21:45:40 +0100
> I think there's a problem with the current implementation of the create
> pseudo action. If a call to ewiki_auth() originates as ewiki_auth($id,
> &$data, $action="setflags"), the current code would pass this to the perm
> plugin as $pf_perm($id, $data, 'create', $ring) thus allowing a setflags
> action to be performed on a page that the user only has create rights to.
>
> Instead I suggest that we not change the action at all inside of
> ewiki_auth() but rather expect auth plugins to know about and check this
> flag in $ewiki_config.
If there are already such things like "setflags", then we should follow the
trend and make $action always overinformative. The appearant fix here seems
to be, to only set $action to "create" if ewiki_auth() was initially called
with $action=="edit" - because that's where ("create" instead of "edit")
you wanted the distinction.
mario
- References:
- [ewiki] create action, action-links flaw
- From: Andy Fundinger
Other related posts:
- » [ewiki] create action, action-links flaw
- » [ewiki] Re: create action, action-links flaw
- » [ewiki] Re: create action, action-links flaw
- [ewiki] create action, action-links flaw
- From: Andy Fundinger