I about have the mechanism in place to tighten down that hatches in ZAP as tight (I hope) as one could want--but the question may become how much is too much.
In particular I have a system in place by which I must manually unlock any function that has any kind of risk potential, and manually set a unique target page (or group) before any form can write to a page as well. A bit onerous but worth it if it solves our problems. One question is given the above assumptions, should I by default allow forms to post data to the same page without a special unlock step. (Seems to me Fox made this choice). And what about having an automatically approved auth list--maybe groups like forum, blog, and comments or something (Fox has also done this). A malicious user could impose text on those pages, but with no commands or targets for those pages could not do much damage. Thinking out loud--and looking for a recommendation... I want to combine security against the really smart folks out there like Pm--while maintaining as much ease of use as possible (for the simple folks, like me)... Cheers, Dan _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users