[ewiki] Re: create action, action-links flaw

• From: Andy Fundinger <andy@xxxxxxxxxxx>
• To: "'ewiki@xxxxxxxxxxxxx'" <ewiki@xxxxxxxxxxxxx>
• Date: Wed, 24 Mar 2004 16:44:01 -0500

> -----Original Message-----
> From: Mario Salzer [mailto:mario@xxxxxxxxxxxxx]
> Sent: Wednesday, March 24, 2004 3:46 PM
> To: ewiki@xxxxxxxxxxxxx
> Subject: [ewiki] Re: create action, action-links flaw
> 
> > I think there's a problem with the current implementation of the create
> > pseudo action.  If a call to ewiki_auth() originates as ewiki_auth($id,
> > &$data, $action="setflags"), the current code would pass this to the
> perm
> > plugin as $pf_perm($id, $data, 'create', $ring) thus allowing a setflags
> > action to be performed on a page that the user only has create rights
> to.
> >
> > Instead I suggest that we not change the action at all inside of
> > ewiki_auth() but rather expect auth plugins to know about and check this
> > flag in $ewiki_config.
> 
> If there are already such things like "setflags", then we should follow
> the
> trend and make $action always overinformative. The appearant fix here
> seems
> to be, to only set $action to "create" if ewiki_auth() was initially
> called
> with $action=="edit" - because that's where ("create" instead of "edit")
> you wanted the distinction.
 
Checking the action before changing is the apparent alternative fix, but
creating flags seems much more extendable and since we have the flag in
config already it requires no additional auth code.  As an additional bonus,
by being flag dependant the auth plugins will follow the same methods to
check creation vs edit as any other interested plugin.

Andy

• » [ewiki] create action, action-links flaw
• » [ewiki] Re: create action, action-links flaw
• » [ewiki] Re: create action, action-links flaw

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription