I just checked another fix for a security problem with PagePerms:
If users were signed in, but not authenticated, mostly by cookies, the
permission system wrongly granted access for these groups, if the
not-authenticated user (just the username) was member of these groups:
admin, owner, creator
Now we check for the authenticated status (correct or no password) if
access is checked for these groups.
I also checked in the first working copy of WikiAdminSetAcl, but this
will need some more helpers. For example to display if nothing was
changed, maybe not to store default ACL's, to change subpages also, and
the show if the selected pages have different settings.
--
Reini Urban
http://phpwiki.sf.net/
|
