|
Cookbook /
PrivateGroupsSummary: How to create private groups on public wikis
Status: Stable
Version: 1
Prerequisites: pmwiki-2.0
Maintainer:
Categories: Security
Votes: 5
QuestionHow can I create a private group on my public wiki, which is invisible to the public? AnswerSetting read protection to a groupTo create a group that is not visible to the public, set a password for the read permission on the GroupAttributes page. Enter the following into the browser's address bar for a group PrivateGroup to access its group attributes (passwords): PrivateGroup.GroupAttributes?action=attr
Preventing private stuff from appearing in public search results and pagelistsPmwiki prevents this by default. Read-protected pages and groups are not listed in search results and pagelists, unless the user has read permission for those pages and groups. PmWiki sets this by default with So no action needs to be taken to prevent private pages from being listed in public.
Private stuff in RecentChangesThe page changes in the private group are posted to the group's RecentChanges page, but that is fine, as this page read protection is set as for all the pages in the group with GroupAttributes?action=attr Preventing private stuff from appearing in AllRecentChangesAll page changes are posted to 1. Restrict access to Site.AllRecentChanges by making it read-protected like the private group. You can do that using the following in the browser's address bar
Site.AllRecentChanges?action=attr
Optionally you can create a Main.AllRecentChanges page for your non-private visitors. Here is some code for config.php that creates a Main.AllRecentChanges page excluding changes made in the private group:
$thisgroup = FmtPageName('$Group', $pagename);
if ($thisgroup != 'MyPrivateGroup') {
$RecentChangesFmt['Main.AllRecentChanges'] =
'* [[$Group.$Name]] . . . $CurrentTime $[by] '
.'$AuthorLink: [=$ChangeSummary=]';
} else { $RecentChangesFmt['Main.AllRecentChanges'] = ''; }
2. Prevent changes made in the private group(s) from appearing in Site.AllRecentChanges by either
2a. creating a local/PrivateGroup.php file (create a file for each private group) with this content:
<?php if (!defined('PmWiki')) exit();
## This is here to kill recording of Private stuff in AllRecentChanges
unset($RecentChangesFmt["\$SiteGroup.AllRecentChanges"]);
2b. Or if you want to do it in local/config.php rather than in a separate script, try
$thisgroup = FmtPageName('$Group', $pagename);
if ($thisgroup == 'PrivateGroup') {
unset($RecentChangesFmt['$SiteGroup.AllRecentChanges']); }
How can you do this for all read-protected pages?
This is kind-of experimental, but what follows seems to work on some sites:
# Check if page has passwords for an access level
function HasPW($pagename, $level)
{ global $AllowPassword;
$page = RetrieveAuthPage
( $pagename, 'read', false, READPAGE_CURRENT );
if( !$page )
return true;
$arr = $page["=passwd"][$level];
if( $arr && !in_array("@$AllowPassword",$arr) )
return true;
return false;
}
# Don't record public changes for read-locked pages
if( HasPW($pagename,'read') )
unset($RecentChangesFmt['$SiteGroup.AllRecentChanges']);
Securing file uploads to the private groupBy default all file uploads to all groups are publicly accessible. Two extra steps need to be taken in order to secure uploads:
Order Deny,Allow Deny from all Please see SecureAttachments for more details about this. Note that uploads to a read-protected wikigroup are only as secure as the least-protected page in that group, so while it is technically possible to unprotect a single or select few pages within the group, doing so creates a window for public access to all file uploads to that group. Notes
ReleasesCommentsIf you want to replace the standard Site.AllRecentChanges you should consider using See AlsoContributorsCategory: Security
|