CMSMode

Summary: Make your wiki look and act like a normal website for non-author visitors.
Version: 2016-09-28
Prerequisites: PmWiki >= 2.1
Status: Beta
Maintainer: Hagan Fox
Discussion: CMSMode-Talk
Categories: CMS Security

Description

This recipe adds some customizations so your wiki will look and act like a non-wiki website to non-author visitors.

Get the files.

Overview

Visitors' search results:
CMS Search Results (site version for visitors)

Authors' search results:
CMS Search Results (wiki version for authors)
This script makes your wiki look like a non-wiki website to visitors who are not authors. It works with the default skin and some other skins as well.

The script determines whether the visitor is an author by checking to see if they can edit a Test Page (Main.Wikisandbox by default).

If you can edit the Sandbox page, you're an author. Authors see everything just about as usual. (*)

If you're not logged in an just visiting, the recipe makes your site look and act like it isn't a wiki:

  • Only your site's pages will appear in search results. Lots of pages that are wiki-related will not appear.
  • Most PmWiki-related pages will be inaccessible.
  • The rel="nofollow" attribute is removed from external links, which will signal search engines to index your content.
  • Page modification times are simplified to just a date.
  • Only whitelisted wikiactions are permitted.

The script also modifies (All)RecentChanges behavior to improve your site's web feeds.

  • A Main.AllRecentChanges page is created that is appropriate to be used as a public site-wide web feed page.
  • RecentChanges pages other than $SiteGroup.AllRecentChanges will have a web feed-friendly format.
  • Discussion pages are excluded from the Group's feed.
  • Draft pages have their own separate feed, which is only accessible to authors.

Here are examples of the site-like appearance:

You can have groups or pages that are either hidden completely -- unless you're an author, of course -- or just hidden from searches and public changelogs, effectively becomming "by invitation only" pages. For example, by default,

  • Pages in a group named Test/ are completely off-limits to non-authors.
  • Pages in a group named Temp/ can be visited, but not searched.
  • Neither Test/ nor Temp/ pages appear in the public feed.

This means you can put pages in your 'Test/ group for testing and early-development purposes and use your Temp/" group for any page you want accessible, but kept out of the public site map.

Security

In CMS Mode your site is less vulnerable to abuse.

Hide the PmWiki version

PmWiki displays the installed version on the "PmWiki/PmWiki" page. If you tell search engines to index your site and a vulnerability were to develop, attackers could easily find your site using a search engine if that page is indexed.

Protection from PmWiki actions

CMS Mode subjects PmWiki to a whitelist. Any wikiaction (?action=<something>) not explicitly permitted in the whitelist is ignored. Actions like ?action=source and ?action=diff that may reveal sensitive information will only work for authors.

Note: Other actions like ?action=refcount or an action created by a recipe are only in effect for authors unless you explicitly whitelist them. Be sure to do that or your recipes may appear to be broken.

Sensible Defaults (TM)

The script sets sensible (and override-able) defaults for $HandleAuth['source'], $HandleAuth['diff'], and $HandleAuth['upload'], adding some protection from administrator error. In some circumstances, authors will be prompted with a password rather than permitted to use these three actions.

Files

Installation

CMS Mode in config.php

Download the .tar.gz or .zip file, unpack it, and put cmsmode.php in your cookbook/ directory. Invoke it with the following somewhere near the end of your config.php file (definitely after any lines involving passwords/authentication):

## CMS Mode makes this wiki look like a normal
## non-wiki website for non-authors.
$pagename = ResolvePageName($pagename);
include_once("$FarmD/cookbook/cmsb-cmsmode.php");

Customization

Settings work the usual way: a setting in a preceding script overrides the script's default values. You can add settings above the include_once() line in your config.php file.

The script is now highly customizable; you shouldn't need to edit the script to make changes for your local environment.

It's easy to add or remove items from lists that are now in PHP variables.

Wikiactions Whitelist

If you have any recipe that adds new PmWiki actions you may need to whitelist wikiactions for it using $CMSAllowedActions[].

If you want to add a wikiaction to the whitelist you can do it with

## Add a ?action=foo wikiaction to the
##CMS Mode wikiactions whitelist
$CMSAllowedActions[] = 'foo';

You can also easily remove a default whitelisted wikiaction. If you think a default one should be removed you can do so with something like this:

## Make it slightly harder to approve external links
$CMSAllowedActions['approvesites'] = '';

Another example

Here's an example that may be useful for copypasta purposes. Delicioso.

## Settings for CMS Mode
$pagename = ResolvePageName($pagename);
## Add some off-limits groups.
SDVA($CMSRedirGroups,array(
  'MyJumpPage', 'Stuff'));
## These will be omitted from search results.
SDVA($CMSExclSearchGroups,array(
  'MyJumpPage', 'Stuff', 'Alice','Category'));
## Changes made to these will be ommitted from the RSS feed.
SDVA($CMSExclARCGroups,array(
  'MyJumpPage', 'Stuff', 'Alice', 'Category'));
## Allow ?action=myrecipeaction
$CMSAllowedActions[] = 'myrecipeaction';
## Disallow ?action=print
$CMSAllowedActions['print'] = '';
##  Enable the CMS Mode recipe.
$pagename = ResolvePageName($pagename);
include_once("$FarmD/cookbook/cmsmode.php");

Notes

This space is for Author-contributed commentary and notes. Please use the Comments section for User-contributed feedback.

The code in this recipe started as part of the Light Skin. It's known to work with Blog Skin, the default PmWiki skin (even better now than ever), and especially the mobile-responsive Adapt Skin.

Test your search resutls by searching for . to see a complete sitemap.

(*) Authors' abilities are slightly more restricted compared to without the script running. If you have Admin authorization this script has no affect at all.

This script is part of the CMS Bundle recipe, but is independent of it.

Release Notes

Version: 2016-09-14

  • Tweaked CSS styling.
  • Added $CMSTimeFmt setting.

Version: 2014-05-21

Fixed default CSS styling in $CMSModeStylesPmSkin and $CMSModeStyles.

Version: 2014-05-19

The script is thoroughly refactored. The script's name is back to cmsmode.php (without the cmsb- prefix) and the status is switched to Beta. Many important settings now are arrays. Array setting are reworked so they can have items added or removed without requiring a complete list in the config file. Upgrading should be seamless from now forward.

  • The bundled docs are now in a separate cmsmode-README.txt file.
  • There are two archives, a .tar.gz and a .zip; the files in the .tar.gz are UNIX formatted(CR) and the files in the .zip are DOS-formatted (CR-LF).
  • [...]

Version: 2014-05-18

Now getting the group and page names without using PageVar(). For some reason using PageVar() was causing unexpected oddness.

Version: 2014-05-17

  • Added 'logout' to the default allowed actions list, and other improvements for authors from the Search Page. Editors now get much more wiki-like look and feel on pages that are read-only to them.
  • Removed $CMSNoNavCSS setting and added $CMSPmSkinCSS setting. The setting is now completely configurable and CSS for the PmWiki skin only appears if it's the selected skin.

Version: 2014-05-16

Removed 'diff' from the default allowed actions list.

Version: 2014-05-15

  • Renamed $CMSRedirPages to $CMSRedirNames and $CMSExclARCPages to $CMSExclARCNames to stay closer to Pm's naming convention.
  • Added new $CMSExclSearchGroups and $CMSExclSearchNames settings for configurable Groups and Names to be excluded from searches. Now pretty much all important site-specific changes can be made in the (farm)config.php.
  • To determine if the visitor is an author for search purposes we now test the Test Page (Main.Wikisanbox by default) rather than the current page because e.g. Site.Search is write-protected, even for authors. Now search results are the same no matter what page you're visiting.

Version 2014-05-14

  • Improved compatibility with the default PmWiki skin by hiding footer navigation links with "display:none" CSS.
  • Added CMSEditTestPage setting for author-or-not test.
  • Added some configurable settings
    • $CMSRedirGroups and $CMSRedirPages are group and page names that are unavailable non-authors.
    • $CMSExclARCGroups and $CMSExclARCPages are group and page names that will not appear in the publicly-available AllRecentChanges file so it can be used as a web feed.

Version 2016-09-19

  • Separated information block into a separate cmsmode-README.txt file.
  • Adjusted CMS Mode CSS styles for compatibility with Adapt Skin.

Version 2016-09-19

  • Added a {$CMSMode} page variable.

Version 2016-09-26

  • Some code cleanup.

Version 2016-09-28

  • Added a {$View} page variable when ?view=<some allowed value> only for allowed values.
    • $_REQUEST is used, so PUT requests are also supported.
    • Default allowed actions are "wiki", "site", and "alt".
    • Configure an additional allowed action with: $CMSViewAllow ['foo'] = 'foo';
  • Added ability to see site view (?view=site, for authors) and wiki view (?view=wiki, for non-authors).

See Also

Contributors

Comments

See discussion at CMSMode-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.