01213: PageVar() should respect authentications

Summary: PageVar() should respect authentications
Created: 2010-07-28 03:58
Status: Closed - fixed for 2.2.24
Category: CoreCandidate
From: Petko
Priority: 4
Version: all

Description: Discussion with Eemeli Aro on the mailing list:


PageVar() should use RetrieveAuthPage() instead of ReadPage() to get the page. $PCache checks need to be reviewed.

Testing PageVars from Test.LockedPage. To see the PVs, login (the password is quick) and to hide them, logout.

 Title: "LockedPage"
 Titlespaced: "Locked Page"
 LastModifiedSummary: ""
 LastModifiedBy: ""
 LastModifiedHost: ""
 LastModified: "May 22, 2024, at 02:54 PM"
 LastModifiedTime: ""
 Description: ""
 PasswdRead: "****"
 PasswdEdit: "****"
 PasswdAttr: "@lock"

Those should always be visible:

 PageUrl: "$ScriptUrl/Test/LockedPage"
 FullName: "Test.LockedPage"
 Namespaced: "Locked Page"
 SiteGroup: "Site"
 VersionNum: "2003033"
 DefaultGroup: "PmWiki"
 DefaultName: "HomePage"
 Action: "browse"
 BaseName: "Test.LockedPage"
 Author: "" (YOU, not the author of LockedPage)

The local/PITS.01213.php file (or config.php) replaces $page with $authpage in the sensitive PageVariables with the following snippet:

foreach($FmtPV as $k=>$v) {
  if(preg_match('/^\\$(Title(spaced)?|LastModified(By|Host|Summary|Time)?|Description)$/', $k))
    $FmtPV[$k] = str_replace('$page', '$authpage', $v);