From: Charles C. <ch...@ru...> - 2005-11-01 16:46:15
|
I recently upgraded the site I administer to 1.3.11p1 - see http://www.runegate.org/whitewall/wiki It appears that the security that I implemented no longer works. For example, I set the acl on the . page so that only authenticated users in the groups WhiteWallWriters, Administrators and/or Owner could edit a page. However, when I go to the site, my session is in the state signed but I can still edit and save the front page. My (edited) config.ini is below. Any ideas? Regards, Charles INCLUDE_PATH = "/home/runega2/software/phpwiki" GOOGLE_LINKS_NOFOLLOW = false WIKI_NAME = WhiteWall ENABLE_REVERSE_DNS = true ADMIN_USER = WhiteWallAdmin ADMIN_PASSWD = "xxx" ENCRYPTED_PASSWD = true ZIPDUMP_AUTH = false ENABLE_RAW_HTML = false ENABLE_RAW_HTML_LOCKEDONLY = false ENABLE_RAW_HTML_SAFE = false STRICT_MAILABLE_PAGEDUMPS = true DEFAULT_DUMP_DIR = /home/runega2/whitewall/wikidump HTML_DUMP_DIR = /home/runega2/whitewall/wikidumphtml HTML_DUMP_SUFFIX = .html MAX_UPLOAD_SIZE = 1050000 MINOR_EDIT_TIMEOUT = 604800 CACHE_CONTROL = LOOSE CACHE_CONTROL_MAX_AGE = 600 COOKIE_EXPIRATION_DAYS = 365 DATABASE_TYPE = SQL DATABASE_PREFIX = wwwiki_ DATABASE_DSN = "mysql://xxx:xxx@localhost/runega2_db" DATABASE_PERSISTENT = false DATABASE_SESSION_TABLE = session DATABASE_DIRECTORY = /home/runega2/whitewall/files DATABASE_DBA_HANDLER = gdbm DATABASE_TIMEOUT = 5 SESSION_SAVE_PATH = /home/runega2/whitewall/session MAJOR_MAX_AGE = 32 MAJOR_KEEP = 8 MINOR_MAX_AGE = 7 MINOR_KEEP = 4 AUTHOR_MAX_AGE = 365 AUTHOR_KEEP = 8 AUTHOR_MIN_AGE = 7 AUTHOR_MAX_KEEP = 20 ALLOW_ANON_USER = true ALLOW_ANON_EDIT = false ALLOW_BOGO_LOGIN = false ALLOW_USER_PASSWORDS = true USER_AUTH_ORDER = "Db" PASSWORD_LENGTH_MINIMUM = 6 USER_AUTH_POLICY = first-only GROUP_METHOD = WIKIPAGE DBAUTH_AUTH_USER_EXISTS = "SELECT userid FROM wwwiki_user WHERE userid='$userid'" DBAUTH_AUTH_CHECK = "SELECT IF(passwd=PASSWORD('$password'),1,0) AS ok FROM wwwiki_user WHERE userid='$userid'" DBAUTH_AUTH_CRYPT_METHOD = plain DBAUTH_AUTH_UPDATE = "UPDATE wwwiki_user SET passwd=PASSWORD('$password') WHERE userid='$userid'" DBAUTH_AUTH_CREATE = "INSERT INTO wwwiki_user SET passwd=PASSWORD('$password'),userid='$userid'" DBAUTH_PREF_SELECT = "SELECT prefs FROM wwwiki_pref WHERE userid='$userid'" DBAUTH_PREF_UPDATE = "REPLACE INTO wwwiki_pref SET prefs='$pref_blob',userid='$userid'" DBAUTH_IS_MEMBER = "SELECT userid FROM wwwiki_member WHERE userid='$userid' AND groupname='$groupname'" DBAUTH_GROUP_MEMBERS = "SELECT DISTINCT userid FROM wwwiki_member WHERE groupname='$groupname'" DBAUTH_USER_GROUPS = "SELECT groupname FROM wwwiki_member WHERE userid='$userid'" THEME = default CHARSET = iso-8859-1 DEFAULT_LANGUAGE = en PHPWIKI_DIR = /home/runega2/software/phpwiki USE_PATH_INFO = true TEMP_DIR = /home/runega2/whitewall/tmp |
From: Reini U. <ru...@x-...> - 2005-11-01 18:36:23
|
I have an idea. I've only changed one single bit resp. I accepted a patch which changed it. lib/main.php Revision 1.217 2005/09/18 12:44:00 rurban novatrope patch to let only _AUTHENTICATED view pages 2005/11/1, Charles Corrigan <ch...@ru...>: > I recently upgraded the site I administer to 1.3.11p1 - see http://www.ru= negate.org/whitewall/wiki > It appears that the security that I implemented no longer works. For exam= ple, I set the acl on the . page so that only authenticated > users in the groups WhiteWallWriters, Administrators and/or Owner could e= dit a page. However, when I go to the site, my session is > in the state signed but I can still edit and save the front page. > > My (edited) config.ini is below. Any ideas? > > Regards, > Charles > > INCLUDE_PATH =3D "/home/runega2/software/phpwiki" > GOOGLE_LINKS_NOFOLLOW =3D false > WIKI_NAME =3D WhiteWall > ENABLE_REVERSE_DNS =3D true > ADMIN_USER =3D WhiteWallAdmin > ADMIN_PASSWD =3D "xxx" > ENCRYPTED_PASSWD =3D true > ZIPDUMP_AUTH =3D false > ENABLE_RAW_HTML =3D false > ENABLE_RAW_HTML_LOCKEDONLY =3D false > ENABLE_RAW_HTML_SAFE =3D false > STRICT_MAILABLE_PAGEDUMPS =3D true > DEFAULT_DUMP_DIR =3D /home/runega2/whitewall/wikidump > HTML_DUMP_DIR =3D /home/runega2/whitewall/wikidumphtml > HTML_DUMP_SUFFIX =3D .html > MAX_UPLOAD_SIZE =3D 1050000 > MINOR_EDIT_TIMEOUT =3D 604800 > CACHE_CONTROL =3D LOOSE > CACHE_CONTROL_MAX_AGE =3D 600 > COOKIE_EXPIRATION_DAYS =3D 365 > DATABASE_TYPE =3D SQL > DATABASE_PREFIX =3D wwwiki_ > DATABASE_DSN =3D "mysql://xxx:xxx@localhost/runega2_db" > DATABASE_PERSISTENT =3D false > DATABASE_SESSION_TABLE =3D session > DATABASE_DIRECTORY =3D /home/runega2/whitewall/files > DATABASE_DBA_HANDLER =3D gdbm > DATABASE_TIMEOUT =3D 5 > SESSION_SAVE_PATH =3D /home/runega2/whitewall/session > MAJOR_MAX_AGE =3D 32 > MAJOR_KEEP =3D 8 > MINOR_MAX_AGE =3D 7 > MINOR_KEEP =3D 4 > AUTHOR_MAX_AGE =3D 365 > AUTHOR_KEEP =3D 8 > AUTHOR_MIN_AGE =3D 7 > AUTHOR_MAX_KEEP =3D 20 > ALLOW_ANON_USER =3D true > ALLOW_ANON_EDIT =3D false > ALLOW_BOGO_LOGIN =3D false > ALLOW_USER_PASSWORDS =3D true > USER_AUTH_ORDER =3D "Db" > PASSWORD_LENGTH_MINIMUM =3D 6 > USER_AUTH_POLICY =3D first-only > GROUP_METHOD =3D WIKIPAGE > DBAUTH_AUTH_USER_EXISTS =3D "SELECT userid FROM wwwiki_user WHERE userid= =3D'$userid'" > DBAUTH_AUTH_CHECK =3D "SELECT IF(passwd=3DPASSWORD('$password'),1,0) AS o= k FROM wwwiki_user WHERE userid=3D'$userid'" > DBAUTH_AUTH_CRYPT_METHOD =3D plain > DBAUTH_AUTH_UPDATE =3D "UPDATE wwwiki_user SET passwd=3DPASSWORD('$passwo= rd') WHERE userid=3D'$userid'" > DBAUTH_AUTH_CREATE =3D "INSERT INTO wwwiki_user SET passwd=3DPASSWORD('$p= assword'),userid=3D'$userid'" > DBAUTH_PREF_SELECT =3D "SELECT prefs FROM wwwiki_pref WHERE userid=3D'$us= erid'" > DBAUTH_PREF_UPDATE =3D "REPLACE INTO wwwiki_pref SET prefs=3D'$pref_blob'= ,userid=3D'$userid'" > DBAUTH_IS_MEMBER =3D "SELECT userid FROM wwwiki_member WHERE userid=3D'$u= serid' AND groupname=3D'$groupname'" > DBAUTH_GROUP_MEMBERS =3D "SELECT DISTINCT userid FROM wwwiki_member WHERE= groupname=3D'$groupname'" > DBAUTH_USER_GROUPS =3D "SELECT groupname FROM wwwiki_member WHERE userid= =3D'$userid'" > THEME =3D default > CHARSET =3D iso-8859-1 > DEFAULT_LANGUAGE =3D en > PHPWIKI_DIR =3D /home/runega2/software/phpwiki > USE_PATH_INFO =3D true > TEMP_DIR =3D /home/runega2/whitewall/tmp > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. Downl= oad > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Phpwiki-talk mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwiki-talk > -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |