Hi *, I`d like to start a discussion on the dokuwiki plugin-API in relation to rights-management and security. The sql-plugin [1] made me start thinking about that. The plugin-syntax expects the mysql-user and password which then can be viewed in the page-source of the wiki-page. Someone mentioned to disable the "view page-source" button in the wiki, IMHO that's only the half way to make it "secure". Everybody can see which plugins are installed via the info-plugin (if it`s not disabled), and everybody can see the plugin-syntax on [1], which enables everybody to use the plugin on a page where he has write-permissions to fetch data from any database he/she knows the username and password. To get to the point, there`s currently no way to let a plugin render output which can be viewed by everyone and restrict the same plugin to be only used by people with enough rights to use it. However, I don`t know if it would be possible/desirable to restrict the usage of a plugin to a group or user and make the output, generated by the plugin viewable to everybody. I know it would be problematic, especially with plugins which disable caching. Just thinking loud. If no one thinks this is an issue feel free to ignore me ;-). [1] http://wiki.splitbrain.org/plugin:sql -- Michael Klier mail: chi@xxxxxxxxxxx www: http://www.chimeric.de icq: 206179334 jabber: chi@xxxxxxxxxxxxx key: http://www.chimeric.de/chi.asc key-id: 0x8308F551