Why is the required permission not AUTH_READ but AUTH_CREATE?

turnermm / newpagetemplate

Updated version of newpagetemplate for handling new template Events

http://www.dokuwiki.org/plugin:newpagetemplate

4 stars 3 forks source link

Why is the required permission not AUTH_READ but AUTH_CREATE? #6

Closed hokkaidoperson closed 5 years ago

hokkaidoperson commented 5 years ago

Hello

When I used this plugin at first, I saw the error "You do not have access to the template …" (while logging out from the superuser account) Then I found that this is because the ACL of the template was 'read' (I don't want to allow users to change the template) and the required permission was 'create' (Line 151 of action.php) I think that the permission check might be enough with 'AUTH_READ.'

Could you cope with it? (Tell me if there is a security risk I'm overlooking.)

turnermm commented 5 years ago

That sounds reasonable. I assume that the reasoning of the original author was that the user is in fact creating a new page and therefore needs create permission. I think the best way to handle this is to give the admin a choice as to whether to use CREATE or READ. But in the meantime you can make the change you want at line 151. If you are familiar enough with syntax plugins and can create a pull request which does this, that would be great.

turnermm commented 5 years ago

I've done the above myself. It is temporarily in a separate new branch: https://github.com/turnermm/newpagetemplate/archive/acl.zip Please install it and try it out. Thanks.

hokkaidoperson commented 5 years ago

Thank you, I'll use it.

In my wiki, the root namespace is set to the ACL 'read', and specific namespaces (such as 'a:' and 's:') are 'upload'. In this case, the template page is in the root namespace (that doesn't allow users to create pages), and users make pages in the namespaces 'a', 's', etc. with the template.