On Mon, June 11, 2007 20:47, IchBin wrote: > ThomasP wrote: >> On Tue, June 5, 2007 20:02, IchBin wrote: >>> IchBin wrote: >>> >>> Not sure if I mentioned this Thomas but as an 'admin' user there is no >>> security problem posting a formatted item to the WikiCalendar using the >>> (:wikilogbox:) markup. Guess this would rule out any non normalized >>> page >> >> This is indeed quite good to know!!! >> >>> url. The problem is only with a regular user even though they have a >>> 'ed_Calendar.*' rule. I mean the format of the calendar days is >>> 'Calendar.yyyymmdd'. >>> >> >> I have tested that 'Calendar.20071111' matches 'Calendar.*' with the UA2 >> functions, so no problems from the pattern check to be expected. It >> would >> thus indeed be very interesting to know where the problem stems from. >> > ... > 'Calendar.*' for rule 'ed_Calendar.*'. I think the rule is fine because > if I do not use the (:wikilogbox:) markup to add or update a calendar > date page I get no security error and works as designed.. > > Doing this with out the (:wikilogbox:) markup you do: > > - Select a day on the visible calendar on the > 'Calendar/Calendar' page. This opens or creates a calendar date page. > - Enter my text and save on that page and there is no problem. > - After this it displays on the visual calendar and by using the > (:thisweek:) markup. > > If I take that rule out of this group I can not do what I just mentioned > above. So the rule is fine there is a one-to-one relationship by having > or not having that rule.
That is logical - so the rule itself and its interpretation by UA2 seems not lacking. > Seems that the problem is the interaction between the (:wikilogbox:) and > UserAuth2. > Yes. To put a clear statement on this I would say: If the UA2 module indeed denies Calendar/20071111 or whatever on level edit though ed_Calendar.* is specified in a respective user perm record, then it is a UA2 problem and I will find the solution. (Could theoretically happen as part of variable interference. Is improbably though - I just had a look in the WikiCalendar code, and nothing looks suspicious.) If however you get insufficient privileges with something else (for example with a permission level that is not known to (not registered with) UA2, much more probable from what I can see), then it is the responsibility of WikiCalendar to make sure the right parameters are delivered, or at least to set a default permission level mapping like HandleAuth['wikilog'] = ...; // whatever is useful, for example 'edit' [If you got a newer version of UA2, then activating the logging with $HTMLFooterFmt[] (search for "PERM" in userauth2.php) will tell you what exactly is blocked.] Thomas _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users