On our wiki, we have a few ACL'ed pages which we would like to make a little more secure (afterall what else is the point of making the pages accessed controlled in the first place?) This patch does a https redirect on those pages which are ACL controlled. Other pages are left alone, as to have lower load on the server. This could be done as a server re-write rule, but then the re-writes need to be kept in sync with the wiki, and it becomes difficult on a hosted service. Could be done as a plugin if this gets rejected for some purpose, (based on ACTION_ACT_PREPROCESS) - but then I wouldn't be able to catch the 'admin' case (which I really don't think is a big deal)... Comments appreciated. diff --git a/inc/actions.php b/inc/actions.php index 4383e45..a9470bc 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -54,6 +54,13 @@ function act_dispatch(){ //check permissions $ACT = act_permcheck($ACT); + // SSL for ACL'ed pages, when logged in + if ($conf['useacl'] && $ACT != 'denied' && $_SERVER['REMOTE_USER'] && (auth_aclcheck($ID,'',null) == AUTH_NONE || $ACT == 'admin') && !is_ssl()) { + $url = "https://";. $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; + header("Location: $url"); + exit; + } + //register if($ACT == 'register' && $_POST['save'] && register()){ $ACT = 'login'; -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist