Summary: adding auth levels and page attributes
Version: 2011-12-23
Maintainer: HansB
Categories: Security Fox
Users: (view? / edit)

Questions answered by this recipe

How can I restrict posting of comments to logged in users, and prevent these users from having full page edit permission? All sections are optional, you can remove those that do not apply to your recipe, and add new ones.


Adding an auth level or page attribute to control posting permissions.

Sometimes it may be desirable to only permit logged in users to post comments via a comment form like FoxCommentBox or FoxAuthUserCommentBox, but at the same time prohibit same users from editing the page. For such users we need an additional authorisation level, because these users need more than 'read' authorisation, and less than 'edit' authorisation.


We add in config.php, probably near the top, where we include authuser.php and set general sitewide passwords:

$PageAttributes['passwdpost'] = '$[Set new post password:]';
$DefaultPasswords['post'] = crypt('admin'); #set admin password as default

This creates a new 'post' attribute (authorisation level), and sets a sitewide admin password for that attribute, which prevents it to be 'clear' (not set) by default.
The other Page Attributes are 'read' 'edit', 'attr' and 'upload' if enabled.
A different word than 'post' could be used. We just replace the letters 'post' in the above with some others, in 'passwdpost', 'Set new post password:', $DefaultPasswords['post'].

The new 'post' attribute will appear on the Attribute form of a page or the GroupAttributes page when using ?action=attr. So now we can set a password, or user ids or @groups in the 'post' field.

Now we just need to change Fox's default auth level, which is 'edit' (users with 'edit' authorisation are able to change page content via Fox forms), by setting in config.php

$FoxAuth = 'post';

That would be general for all pages, but we could narrow it to a specific group in which we want to have comments posted, for instance a 'UserForum' group:

$group = PageVar($pagename,'$Group');
if ($group=='UserForum') $FoxAuth = 'post';


Use the new 'post' (or whatever you named it) auth level by setting a page or group attribute via ?action=attr, i.e. setting a password, or when using AuthUser, a user id (id:username) or user @group in the attribute field.

Or set a sitewide general password for 'post' in config, for example 'mypostpassword', with

$DefaultPasswords['post'] = crypt('mypostpassword');


Change log / Release notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".

See also



See discussion at AddingAuthLevels-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.