[dokuwiki] plugins - security and rights-management
- From: Michael Klier <chi@xxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 2 Jun 2006 16:58:38 +0200
Hi *,
I`d like to start a discussion on the dokuwiki plugin-API in relation to
rights-management and security. The sql-plugin [1] made me start
thinking about that. The plugin-syntax expects the mysql-user and
password which then can be viewed in the page-source of the wiki-page.
Someone mentioned to disable the "view page-source" button in the wiki,
IMHO that's only the half way to make it "secure". Everybody can see
which plugins are installed via the info-plugin (if it`s not disabled),
and everybody can see the plugin-syntax on [1], which enables everybody
to use the plugin on a page where he has write-permissions to fetch data
from any database he/she knows the username and password.
To get to the point, there`s currently no way to let a plugin render
output which can be viewed by everyone and restrict the same plugin to
be only used by people with enough rights to use it.
However, I don`t know if it would be possible/desirable to restrict the
usage of a plugin to a group or user and make the output, generated by
the plugin viewable to everybody. I know it would be problematic,
especially with plugins which disable caching.
Just thinking loud. If no one thinks this is an issue feel free to
ignore me ;-).
[1] http://wiki.splitbrain.org/plugin:sql
--
Michael Klier
mail: chi@xxxxxxxxxxx
www: http://www.chimeric.de
icq: 206179334
jabber: chi@xxxxxxxxxxxxx
key: http://www.chimeric.de/chi.asc
key-id: 0x8308F551
Other related posts:
- » [dokuwiki] plugins - security and rights-management
