• View
• Edit
• History
• Attach
• Print
• Backlinks

RestrictActions

Questions answered by this recipe

• How can I protect my wiki from abuse of actions (?action=XYZ) that I didn't even know of?

Description

This recipe prevents all actions that are not configured to be allowed. (Some are allowed by default.)

How to Install

1. Download restrict_actions_v1.6.phpΔ and save it in your cookbook directory.

2. Edit your local config file and set the permissions by adding lines like:

SDVA($RequiredPermissionLevels, array(
    'action1' => 'userlevel1',
    'action2' => 'userlevel2',
    ...
    'actionN' => 'userlevelN',
  ));

where the actions are the ?action= values you want to allow and the userlevels are either

• native PmWiki privileges (read, edit, attr, ...),
• "*" or
• "-".

"*" means do not add any extra protection,

3. Below these permissions, write the usual include code:

where X.X is the version number. If you're using AuthUser, include that before you include restrict_actions.

Security and Privacy Reminder

Since v1.6, Restirct Actions is more paranoid by default, so it changes forbidden actions to login. (Until 1.6, it changed them to browse). If you want to allow reading protected pages, find the two occurences of
$action = 'login';
at the bottom of the receipe file and change them to
$action = 'browse';

Comments

See Discussion at RestrictActions-Talk.

Releases

• v1.6: now sets $FmtPV['$RequestedAction'] to the (defused) original action
• v1.5: Added special protection for "system" pages such as *.GroupHeader and *.GroupFooter
• v1.1: Optimized default values for wikis with multiple editors
• v1.0: Initial release

Reminders

• If you want not just to view the attributes of a page (action=attr) but change them, please remember to allow the postattr action (disabled by default).

See Also

• CMSBundle
• Session Guard

Contributors

• Sven - original author