Security-Talk

This is a talk page for improving Security.


How do I, in config.php, add, or remove, an edit password for a group (or single page)?

You cannot, go to the Group.GroupAttributes?action=attr or Page?action=attr.

How do I only allow authors to post if they have a Profile?

Add this to your local/config.php below include_once("$FarmD/scripts/author.php"); line:

if(!PageExists('Profiles.'.$Author)&&$action=='edit')
$HandleAuth['edit'] = 'admin';

This is a possible solution, but be warned: author can't edit their wiki page in Profiles group too. Add if($group!='Profiles') above ;-)

I am having trouble with password-protecting the read action on certain groups. I'd like a user to be able to login on the main page of that group with [[Internal.HomePage?action=login | Login]], but I end up with the page loading up the password prompt recursively. On the other hand, it worked on a different installation, where I read-protected the Main.HomePage. In my opinion, even if I try to access a certain page out of a read-protected group, I should at least be able to get the password prompt without ending up in a recursive loop. Any ideas? ~Jonas April 23, 2009, at 03:15 AM

This seems like a problem with sessions, either client-side cookies (check your browser, proxy) or server-side (the directory where PHP writes session data should exist and be read-writable). On some hostings you need to create a "/.sessions" directory at the document root, or use in config.php session_save_path("{$_SERVER['DOCUMENT_ROOT']}/.sessions");. It is imperative that this directory is not accessible via http://yoursite/.sessions -- check with your hosting provider docs. --Petko May 07, 2009, at 06:16 PM

Is there a way to reveal all the markup as is revealed in an edit page without enabling editing?

This is possible if you allow the action source. Page download is protected for editing, but adding ?action=source to the URL reveals the markup used. Try it -- SchreyP July 15, 2010, at 08:51 AM

The following is related to PITS:01257 and needs fixing:

How do I password protect all common pages in all groups such as recent changes, search, group header, group footer, and so on?

Insert the following lines into your local/config.php file. Editing these pages then requires the admin password.

## Require admin password to edit RecentChanges (etc.) pages.
if ($action=='edit'
    && preg_match('/\\.(Search|Group(Header|Footer)|(All)?RecentChanges)$/', $pagename))
  { $DefaultPasswords['edit'] = crypt('secret phrase'); }

Note that all GroupAttributes pages are protected by the attr password.

Alternative: you can require 'admin' authentication for these pages:

## Require admin password to edit RecentChanges (etc.) pages.
if ($action=='edit' 
    && preg_match('(Search|Group(Header|Footer)|(All)?RecentChanges)', $pagename))
  { $HandleAuth['edit'] = 'admin'; }

How to make a rule that allows only authors to edit their own wiki page in Profiles group?

Add this to your local/config.php

$name = PageVar($pagename, '$Name');
$group = PageVar($pagename, '$Group');
if($group=='Profiles') $DefaultPasswords['edit'] = 'id:'.$name;

Note: anyplace you hide ?action=source, you probably also need to add security for ?action=diff. XES February 10, 2019, at 04:01 PM

This is a talk page for improving PmWiki.Security.