Thursday, May 3, 2007, 8:26:10 PM, The Editor wrote: > One question is given the above assumptions, should I by default allow > forms to post data to the same page without a special unlock step. > (Seems to me Fox made this choice).
I am just mulling over this choice, and suspect it is no good. As we seen, it is enough to include a form into a page by having it added to the GroupFooter for instance. Then someone can post to the page, even if it was protected. It always comes to the same point: The target page for posting content needs to carry a mark, an attribute or a string, which will make it a legitimate posting target. Or the admin can expand this by giving permission for posting to other pages (for instance via a page pattern array). > And what about having an > automatically approved auth list--maybe groups like forum, blog, and > comments or something (Fox has also done this). A malicious user > could impose text on those pages, but with no commands or targets for > those pages could not do much damage. For Fox it was an attempt to make it easier setting up comment pages. But I did not have feedback on this. I guess there are many ways of creating comment pages, tied to a document page. So maybe it is better to leave it blank. But I would be curious to hear others about this. ~Hans _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users