CustomActions-Talk

Summary: Discussion of CustomActions

How can all actions (custom and built in) be disabled, and then only specific actions then enabled?

The simplest is to set the forbidden action to one of the allowed actions like 'browse'. --Petko May 06, 2026, at 08:14 am

$allowed_actions = 'browse|search|print';
if(!preg_match("/^($allowed_actions)$/", $action)) $action = 'browse';

How can $HandleAuth be set to "admin" for all actions (custom and built in), and then relaxed only for specific actions?

This is more complex, it might possibly be done with an array proxy. After some testing, this seems to work on PHP 8.x. --Petko May 06, 2026, at 08:14 am

class AuthProxy extends ArrayObject {
  private $defaultLevel;
  private $storage = []; // Internal real array to hold references

  public function __construct($default = 'admin') {
    parent::__construct([]);
    $this->defaultLevel = $default;
  }

  public function addPerm(array $perms) {
    foreach ($perms as $action => $level) {
      $this->storage[$action] = $level;
    }
  }

  #[\ReturnTypeWillChange] // Silences modern PHP deprecation warnings
  public function &offsetGet($offset) { // Return by reference
    if (array_key_exists($offset, $this->storage)) {
      $temp = $this->storage[$offset];
      return $temp;
    }

    // We return a temporary copy of the default because SDV()
    // needs a reference to a variable, not a literal string.
    $tempDefault = $this->defaultLevel;
    return $tempDefault;
  }

  public function offsetExists($offset): bool {
    return true;
  }

  public function offsetSet($offset, $value): void {
    // Lock remains active: standard assignments do nothing.
  }
}

// 1. Initialize, scorched earth
global $HandleAuth;
$HandleAuth = new AuthProxy('admin');

// 2. Explicitly allow or re-allow ALL actions using the new method
$HandleAuth->addPerm([
  'browse' => 'read',
  'print'  => 'read',
  'search' => 'edit',
  'diff'   => 'edit',
]);

// DECLARATIONS LIKE THESE, EARLIER OR LATER, WILL BE IGNORED!
$HandleAuth['breathe'] = 'edit';
$HandleAuth['eat'] = 'upload';
SDV($HandleAuth['bathe'], 'read');

The recipes also need to use the standard way of receiving the $auth level as the second argument. --Petko May 06, 2026, at 11:31 am

function HandleEat($pagename, $auth) {
  # This should work, $auth is the intercepted level:
  $page = RetrieveAuthPage($pagename, $auth, true, READPAGE_CURRENT);

  # This will not work, 'edit' is hardcoded:
  $page = RetrieveAuthPage($pagename, 'edit', true, READPAGE_CURRENT);

  if(!$page) return Abort('?no permissions');
  # ...
}

Also I noticed something unintuitive, if 'edit' is not protected (PmWiki default). With this:

$HandleAuth->addPerm(['diff' => 'edit']);

Now $HandleAuth['edit'] is 'admin' and locked but $HandleAuth['diff'] is 'edit' and unlocked. --Petko May 06, 2026, at 12:05 pm

This is a talk page for improving PmWiki.CustomActions.