Not logged in. · Lost password · Register
Forum: General Help and Support Plugins RSS
Working on PHPrestrict plugin - have some questions
Avatar
MadOverlord #1
Member since May 2016 · 6 posts
Group memberships: Members
Show profile · Link to this post
Subject: Working on PHPrestrict plugin - have some questions
Hi everyone,

I am playing around with writing a simple plugin (I've been using DokuWiki for a while but this is my first plugin). The idea is to make including PHP on Dokuwiki pages safer. I have a couple of questions that perhaps interested parties can answer.

The two basic features the (action) plugin provides are:

  • You can restrict PHP to particular namespaces ("fred:"), pages ("fred:derf"), and prefixes ("fred:php*"). This lets you leverage the ACL to determine what users get to accidentally destroy your wiki with PHP. It completely overrides the PHP setting in config.

  • You can disable show source on PHP-enabled pages.

Questions:

  • Is there a way to reliably get access to the pre-parsed page text, so (for example) I can remove PHP on non-enabled pages. This is not a big deal but it would be nice to know how to do it. The PARSER_WIKITEXT_PREPROCESS event won't do the trick since it doesn't get called if there is no wiki-markup on the page (for example, a pure <php>...</php> page).

  • Any special security concerns (other than the usual ones about allowing PHP) that I should be thinking about? Right now, all it is doing is setting $conf['phpok'] based on the results of the namespace/page matching and appending to $conf['disableactions']

  • Any features I should consider?

Thanks in advance,
Robert
Avatar
turnermm (Moderator) #2
Member since Oct 2009 · 4032 posts · Location: Canada
Group memberships: Global Moderators, Members, Super Mods
Show profile · Link to this post
See:  https://www.dokuwiki.org/devel:event:io_wikipage_read

You should be able to modify the output by altering the result field in the AFTER phase of IO_WIKIPAGE_READ.
Myron Turner
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
MadOverlord #3
Member since May 2016 · 6 posts
Group memberships: Members
Show profile · Link to this post
Thanks. I'll keep that in mind for future implementation.

First version of the plugin is up at https://www.dokuwiki.org/plugin:phprestrict
Avatar
FosseWay #4
Member since May 2016 · 101 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
including PHP on Dokuwiki pages

As a newcomer to DokuWiki administration, I didn't know this was an option; thank you for opening my eyes to the possibility, and for adding to the pool of available plugins.

Although I don't yet have a reason to include PHP, could you clarify what you mean by this please?

You can disable show source on PHP-enabled pages.

Do you mean client-side/browser View Source, or is this something server-side, e.g. a link which will show the source of the underlying DokuWiki thispage.txt (or whatever) on the server?
Avatar
MadOverlord #5
Member since May 2016 · 6 posts
Group memberships: Members
Show profile · Link to this post
There is a view source/export raw feature of the wiki that, unless disabled, lets people look at the source of the page (including the PHP if there is any on the page).

You can disable it for all pages on your site (and viewing the change history of the page) using the regular configuration settings under "disableactions".

phprestrict lets you disable view source/export raw on PHP-enabled pages regardless of the global setting, so you can stop people from looking at your PHP unless they have edit access.

Come to think of it, the feature should also disable the change history view as well. I'll pencil that in for the next version.
Avatar
FosseWay #6
Member since May 2016 · 101 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Thanks again! I'm sorry I don't have more to contribute to your efforts, but I'm learning stuff from this thread. If my questions can give you ideas, then so much the better.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2018-04-21, 11:56:38 (UTC +02:00)