[dokuwiki] Re: $INFO

• From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Fri, 20 Nov 2009 00:06:34 +0100

>> Why? What's in there that's problematic?
>
> There are usernames in it. There is specific file information of the page in 
> it (Path on the server ...). The ACL ... settings ...
> This is a lot of stuff that I think no one should see especially when the 
> "admin" is not aware that it's being "published" or when the wiki is being 
> used as corporate website.

First, let me explain why I even added it. We get regularly questions
from plugin authors on how they can access the current page ID or the
namespace from within their JavaScript. I myself recently needed a way
to find out if a user was logged in and what his user name was.

Both infos were already somehow available to JavaScripts by grabbing
it from the DOM, reading certain form fields and even some JavaScript
exports (like NS or SIG).

But this info was only available in a somewhat messy form. And
whenever a plugin needed some more info it had to add an additional
metaheader to write out a single variable (overhead of a action
plugin) or use an expensive AJAX call.

So my idea was to automatically export the $INFO array as it contains
all the info one usually need to decide if a certain action should be
done or not.

Okay. Now let's have a closer look.

For everybody's reference I pasted a dump of a typical (but somewhat
messy) $INFO array at http://www.dokuwiki.org/devel:infoarray

Looking at the exported data, the only thing that I can see that
really shouldn't be thereat all is the full file path. Since this is a
file system path it wouldn't even be useful for a JavaScript anyway.

Then we have a lot of data that is probably not too useful to have in
JavaScript, like the page abstract or the TOC array (though I could
come up with some ideas how to use that one). OTOH this stuff is
hardly security critical anyway.

And then theres some data that you probably object to like userinfo,
isadmin, ismanager, subscribed. But that's the data that really is
useful to have in JavaScript. And it's all data that is specific for
the current user. But it's data the user already knows (some of it is
BW also available via ?do=check) - it is not secret.

I don't really like the idea of introducing a config variable for
completely disabling this export because I think some of this data
will become really useful for DokuWiki's core functionality, too.

Maybe we should condense the array and instead exporting all of $INFO,
export just selected keys. But which?

Andi

PS. Gerry, your site export plugin is a completely different thing.
Removing the javascript from within your plugin, or even better
completely creating your own meta headers is the sensible thing to do
there.

-- 
splitbrain.org
-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

• Follow-Ups:
  • [dokuwiki] Re: $INFO
    • From: TNHarris

• References:
  • [dokuwiki] $INFO
    • From: Gerry Weißbach
  • [dokuwiki] Re: $INFO
    • From: Andreas Gohr
  • [dokuwiki] Re: $INFO
    • From: Gerry Weißbach

Other related posts:

• » [dokuwiki] $INFO- Gerry Weißbach
• » [dokuwiki] Re: $INFO- Andreas Gohr
• » [dokuwiki] Re: $INFO- Gerry Weißbach
• » [dokuwiki] Re: $INFO- Andy Webber
• » [dokuwiki] Re: $INFO - Andreas Gohr
• » [dokuwiki] Re: $INFO- TNHarris
• » [dokuwiki] Re: $INFO- Gerry Weißbach
• » [dokuwiki] Re: $INFO- Andreas Gohr
• » [dokuwiki] Re: $INFO- Gerry Weißbach
• » [dokuwiki] Re: $INFO- James Lin

1. Home
2. dokuwiki
3. Archive
4. 11-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---